What kind of Active Directory Permissions can I give

By iampedro
in Microsoft (Windows)

 Share

Recommended Posts

Rising Star

iampedro

Posted
Posted

Dear All,

 

My developers are asking that I give them rights to AD to create users but I don't want to give them Domain Admin rights.  

 

Do you know of a way in local server environment for Active Directory that I can give to my developers that won't give them too many rights but just to be able to do the following to specific OU / Security Group?

 

Here is the following permissions that they need

 

1. Create User

2. Delete User

3. Update User

Link to comment
Share on other sites
Community Regular

SouthGate

Posted
Posted (edited)

AD allows you to delegate quite granular permissions. The way I'd do it is create a small OU structure for the developers (if this is just for test accounts) unless they need access to the main user base, and delegate the required permissions for the OUs to a group, then add the devs to that group. Never delegate directly to users as that's how you start losing your view of who has what permissions. For general day to day use, everyone including the top sysadmin should be using a normal user account and elevate every administrative task with their own secondary admin account. I would also personally abandon use of domain admin and enterprise admin groups for all but the top admins, always delegate the necessary control and add more permisisons as required. Implement a good RBAC structure.

 

Right click the highest level of OU you wish to assign then click 'Delegate Control'. The rest is pretty well explained and easy for anyone with experience.

Edited by SouthGate
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing