My work is starting to perform a separation of duties. In other words, those that work on one system are only going to need the ability to view the users in the Win 2012 AD and not have the ability to add, change, delete or reset passwords. They still need to have domain rights to be able to install software and perform other tasks, just not anything to do with the users.
We've tried creating a security group for the users, added them to it and tried to set the security on the OU to only allow them the ability to view the users. They were still able to reset the password on a test account.
I've tried using delegate to control what they can do in the OU but they were still able to change the password. I can remove the user from the Domain Admin group but then they cannot perform the other tasks as needed.
The only option that I can see is to split the domain admin group up and create a Windows Admin group and assign it the same way as the Domain Admin group and create a separate group for the Linux admins to do the tasks as needed in the Windows environment.
Is there something that I am missing or is my only option the one that I should be following?
Thanks in advance for the help and/or information.
We've tried creating a security group for the users, added them to it and tried to set the security on the OU to only allow them the ability to view the users. They were still able to reset the password on a test account.
I've tried using delegate to control what they can do in the OU but they were still able to change the password. I can remove the user from the Domain Admin group but then they cannot perform the other tasks as needed.
The only option that I can see is to split the domain admin group up and create a Windows Admin group and assign it the same way as the Domain Admin group and create a separate group for the Linux admins to do the tasks as needed in the Windows environment.
Is there something that I am missing or is my only option the one that I should be following?
Thanks in advance for the help and/or information.