There are many great features available to you once you register at Neowin, including:

  • Richer content, access to many features that are disabled for guests like commenting on the front page
  • Access to a great community, with a massive database of experience on hard & software issues, gaming and recreational activities, and more
  • Access to the Neowin IRC - you could make a friend from across the world and talk to them live
  • Access to Neowin contests & subscription offers and forums that are not open to guests/li>
  • It's simple, and FREE! · Register here

What kind of Active Directory Permissions can I give


 Share

Recommended Posts

Dear All,

 

My developers are asking that I give them rights to AD to create users but I don't want to give them Domain Admin rights.  

 

Do you know of a way in local server environment for Active Directory that I can give to my developers that won't give them too many rights but just to be able to do the following to specific OU / Security Group?

 

Here is the following permissions that they need

 

1. Create User

2. Delete User

3. Update User

Link to comment
Share on other sites

AD allows you to delegate quite granular permissions. The way I'd do it is create a small OU structure for the developers (if this is just for test accounts) unless they need access to the main user base, and delegate the required permissions for the OUs to a group, then add the devs to that group. Never delegate directly to users as that's how you start losing your view of who has what permissions. For general day to day use, everyone including the top sysadmin should be using a normal user account and elevate every administrative task with their own secondary admin account. I would also personally abandon use of domain admin and enterprise admin groups for all but the top admins, always delegate the necessary control and add more permisisons as required. Implement a good RBAC structure.

 

Right click the highest level of OU you wish to assign then click 'Delegate Control'. The rest is pretty well explained and easy for anyone with experience.

Edited by SouthGate
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share