Via the means of removing a current domain admins access rights and only very specific tasks available to them...
Before this is rolled out to the user in question i have to make sure that various tasks such as adding PCs to the domain, managing users in active directory etc aren't affected.
I've got the file access area covered quite well so that they can read and/or write to specific places going by the security groups I've got them in, but now I'm at the point where i need to lock down active directory so that they can manage users, maybe computers (not sure on that yet), but certainly not manage things like the domain admins group.
I've only ever done an all or none setup with this before so need guidance here, the other problem I've got is that i need them to have a small amount of access to group policy, is it possible to give specific group policy access rights...for example not being able to change policies but being able to read them and change who they apply to?
Thanks for any help with this, though I'm dreading the reaction when it's implemented.
Before this is rolled out to the user in question i have to make sure that various tasks such as adding PCs to the domain, managing users in active directory etc aren't affected.
I've got the file access area covered quite well so that they can read and/or write to specific places going by the security groups I've got them in, but now I'm at the point where i need to lock down active directory so that they can manage users, maybe computers (not sure on that yet), but certainly not manage things like the domain admins group.
I've only ever done an all or none setup with this before so need guidance here, the other problem I've got is that i need them to have a small amount of access to group policy, is it possible to give specific group policy access rights...for example not being able to change policies but being able to read them and change who they apply to?
Thanks for any help with this, though I'm dreading the reaction when it's implemented.
