Tech Support Forum banner
Status
Not open for further replies.

AD Permission Assistance Needed

1K views 3 replies 2 participants last post by  jimscreechy 
#1 ·
My work is starting to perform a separation of duties. In other words, those that work on one system are only going to need the ability to view the users in the Win 2012 AD and not have the ability to add, change, delete or reset passwords. They still need to have domain rights to be able to install software and perform other tasks, just not anything to do with the users.

We've tried creating a security group for the users, added them to it and tried to set the security on the OU to only allow them the ability to view the users. They were still able to reset the password on a test account.

I've tried using delegate to control what they can do in the OU but they were still able to change the password. I can remove the user from the Domain Admin group but then they cannot perform the other tasks as needed.

The only option that I can see is to split the domain admin group up and create a Windows Admin group and assign it the same way as the Domain Admin group and create a separate group for the Linux admins to do the tasks as needed in the Windows environment.

Is there something that I am missing or is my only option the one that I should be following?

Thanks in advance for the help and/or information.
 
See less See more
#2 ·
IF you are delegating control within the domain your users should not be members of the domain admin group. The purpose of delegation is to give users administrative abilities to certain aspects of your organisation without having to assign them Domain admin rights.
 
#3 ·
That I know and what we are trying to do is split the current domain admins into two separate groups. My manager wants to control the Linux admins by denying access to the users OU for their admin group without removing them from them domain admin group. Everything I have seen and done with AD tells me that I need to remove them from the domain admin group and delegate what the Linux admin group can do rather than try to control by denial permissions.

What I found is that no matter what permissions I give the Linux admin group, the admins are able to change a users password as long as they are in the domain admin group.

I do know that Windows works by applying the most restrictive permissions to get a job done but I think the domain admin group overrides any restrictions set but I cannot find anything that will substantiate that.
 
#4 ·
ERm, ok. I don't think you can do that. To be honest, I've never heard anyone try to deny domain admins access to anything. They really are the people to whom you turn for absolute access to your security. If you don't want them to have access to something, for whatever reason, then they probably should not be in the Domain Admins group. I would be tempted to create a separate group called Linux admins with a separate set of rights... or use delegation.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top