Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Configure management of OU
Configure management of OU [message #368631] Thu, 14 January 2010 20:24 Go to next message
Masao Garcia  is currently offline Masao Garcia
Messages: 6
Registered: January 2010
Junior Member
I have a new 2003 AD implementation and I had a question about OU management.
I'd like to create a "VIP" OU where only two administrator accounts would be
able to manage the users and computers in that OU. The rest of the IT admins
would be able to manage any other users and computers. My question is, how
do you implement that security? Is it basically just going into the VIP OU's
Security tab and adding/removing the appropriate users/groups and setting the
right permissions? Thanks.
Re: Configure management of OU [message #368733 is a reply to message #368631] Fri, 15 January 2010 00:43 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Masao,

If you talk about admins, do you mean domain admins? Then you can't, any
domain administrator is able to undo all changes, because they are an admin,
an admin, an admin...........................

To achive what you like use "delegate control wizard" with domain user accounts
on that OU.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I have a new 2003 AD implementation and I had a question about OU
> management.
> I'd like to create a "VIP" OU where only two administrator accounts
> would be
> able to manage the users and computers in that OU. The rest of the IT
> admins
> would be able to manage any other users and computers. My question
> is, how do you implement that security? Is it basically just going
> into the VIP OU's Security tab and adding/removing the appropriate
> users/groups and setting the right permissions? Thanks.
>
Re: Configure management of OU [message #368880 is a reply to message #368631] Fri, 15 January 2010 06:38 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
You didn't really elaborate. If there are more than two domain admins and
you want to exclude them you can do it, but since they are domain admins
they can just add the permissions they need to gain access back to the OU's.
The type of secure controls you need is to remove all but two users as
domain admins and go back and grant the others fine grained permissions, via
the Delegation of Control wizard. It sounds like your problem is you have
to many domain admins and you need to take control of your environment.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Masao Garcia" <MasaoGarcia@discussions.microsoft.com> wrote in message
news:1F83B310-8E3F-4A22-A366-2F254360C63E@microsoft.com...
>I have a new 2003 AD implementation and I had a question about OU
>management.
> I'd like to create a "VIP" OU where only two administrator accounts would
> be
> able to manage the users and computers in that OU. The rest of the IT
> admins
> would be able to manage any other users and computers. My question is,
> how
> do you implement that security? Is it basically just going into the VIP
> OU's
> Security tab and adding/removing the appropriate users/groups and setting
> the
> right permissions? Thanks.
Re: Configure management of OU [message #368890 is a reply to message #368733] Fri, 15 January 2010 06:52 Go to previous messageGo to next message
Masao Garcia  is currently offline Masao Garcia
Messages: 6
Registered: January 2010
Junior Member
Sorry, I mean admins in the sense of IT helpdesk personnel. What I was
planning on doing is creating a Helpdesk security group that would be able to
manage the non-VIP users and computers OU. Is it possible to grant certain
administrative privileges to a security group? For example, I would like the
Helpdesk group to be able to join computers to the domain, but not be in the
Domain Admins group. If that is possible, then I take it I would not have to
tweak the VIP OU at all and do as you said and use the delegate control
wizard to allow the Helpdesk group to manage the non-VIP OU, correct?

"Meinolf Weber [MVP-DS]" wrote:

> Hello Masao,
>
> If you talk about admins, do you mean domain admins? Then you can't, any
> domain administrator is able to undo all changes, because they are an admin,
> an admin, an admin...........................
>
> To achive what you like use "delegate control wizard" with domain user accounts
> on that OU.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > I have a new 2003 AD implementation and I had a question about OU
> > management.
> > I'd like to create a "VIP" OU where only two administrator accounts
> > would be
> > able to manage the users and computers in that OU. The rest of the IT
> > admins
> > would be able to manage any other users and computers. My question
> > is, how do you implement that security? Is it basically just going
> > into the VIP OU's Security tab and adding/removing the appropriate
> > users/groups and setting the right permissions? Thanks.
> >
>
>
> .
>
Re: Configure management of OU [message #368981 is a reply to message #368890] Fri, 15 January 2010 08:55 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Yes what you request is doable and the recommended solution. Don't make
them admins.

Jorge has a great article on taskpads and delegation
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369. aspx

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Masao Garcia" <MasaoGarcia@discussions.microsoft.com> wrote in message
news:53B16300-9B5B-4DAB-BFA3-C14044243AA9@microsoft.com...
> Sorry, I mean admins in the sense of IT helpdesk personnel. What I was
> planning on doing is creating a Helpdesk security group that would be able
> to
> manage the non-VIP users and computers OU. Is it possible to grant
> certain
> administrative privileges to a security group? For example, I would like
> the
> Helpdesk group to be able to join computers to the domain, but not be in
> the
> Domain Admins group. If that is possible, then I take it I would not have
> to
> tweak the VIP OU at all and do as you said and use the delegate control
> wizard to allow the Helpdesk group to manage the non-VIP OU, correct?
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Masao,
>>
>> If you talk about admins, do you mean domain admins? Then you can't, any
>> domain administrator is able to undo all changes, because they are an
>> admin,
>> an admin, an admin...........................
>>
>> To achive what you like use "delegate control wizard" with domain user
>> accounts
>> on that OU.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>
>> > I have a new 2003 AD implementation and I had a question about OU
>> > management.
>> > I'd like to create a "VIP" OU where only two administrator accounts
>> > would be
>> > able to manage the users and computers in that OU. The rest of the IT
>> > admins
>> > would be able to manage any other users and computers. My question
>> > is, how do you implement that security? Is it basically just going
>> > into the VIP OU's Security tab and adding/removing the appropriate
>> > users/groups and setting the right permissions? Thanks.
>> >
>>
>>
>> .
>>
Re: Configure management of OU [message #369007 is a reply to message #368880] Fri, 15 January 2010 09:16 Go to previous messageGo to next message
Masao Garcia  is currently offline Masao Garcia
Messages: 6
Registered: January 2010
Junior Member
Sorry, to be more specific:

There are 4 employees in the IT department. Only 1 employee should have
access to both the VIP OU and the the other OUs. I've read it's bad practice
to have only one admin account for an OU in case the account gets locked, so
I figured, the 1 user would have his own domain admin account and the
administrator account as a backup. The other 3 IT employees should be able
to manage everything else except for anything in the VIP OU (technically, I
would like the 3 to be able to ONLY unlock a user account in the VIP OU, if
that's possible. But if not, I can live with no access period.)


"Paul Bergson [MVP-DS]" wrote:

> You didn't really elaborate. If there are more than two domain admins and
> you want to exclude them you can do it, but since they are domain admins
> they can just add the permissions they need to gain access back to the OU's.
> The type of secure controls you need is to remove all but two users as
> domain admins and go back and grant the others fine grained permissions, via
> the Delegation of Control wizard. It sounds like your problem is you have
> to many domain admins and you need to take control of your environment.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Masao Garcia" <MasaoGarcia@discussions.microsoft.com> wrote in message
> news:1F83B310-8E3F-4A22-A366-2F254360C63E@microsoft.com...
> >I have a new 2003 AD implementation and I had a question about OU
> >management.
> > I'd like to create a "VIP" OU where only two administrator accounts would
> > be
> > able to manage the users and computers in that OU. The rest of the IT
> > admins
> > would be able to manage any other users and computers. My question is,
> > how
> > do you implement that security? Is it basically just going into the VIP
> > OU's
> > Security tab and adding/removing the appropriate users/groups and setting
> > the
> > right permissions? Thanks.
>
>
> .
>
Re: Configure management of OU [message #369335 is a reply to message #368981] Fri, 15 January 2010 15:13 Go to previous messageGo to next message
Masao Garcia  is currently offline Masao Garcia
Messages: 6
Registered: January 2010
Junior Member
Thank you for the link. I was able to set up my OUs and ACLs how I wanted by
forking out from that article.

"Paul Bergson [MVP-DS]" wrote:

> Yes what you request is doable and the recommended solution. Don't make
> them admins.
>
> Jorge has a great article on taskpads and delegation
> http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369. aspx
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Masao Garcia" <MasaoGarcia@discussions.microsoft.com> wrote in message
> news:53B16300-9B5B-4DAB-BFA3-C14044243AA9@microsoft.com...
> > Sorry, I mean admins in the sense of IT helpdesk personnel. What I was
> > planning on doing is creating a Helpdesk security group that would be able
> > to
> > manage the non-VIP users and computers OU. Is it possible to grant
> > certain
> > administrative privileges to a security group? For example, I would like
> > the
> > Helpdesk group to be able to join computers to the domain, but not be in
> > the
> > Domain Admins group. If that is possible, then I take it I would not have
> > to
> > tweak the VIP OU at all and do as you said and use the delegate control
> > wizard to allow the Helpdesk group to manage the non-VIP OU, correct?
> >
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello Masao,
> >>
> >> If you talk about admins, do you mean domain admins? Then you can't, any
> >> domain administrator is able to undo all changes, because they are an
> >> admin,
> >> an admin, an admin...........................
> >>
> >> To achive what you like use "delegate control wizard" with domain user
> >> accounts
> >> on that OU.
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>
> >>
> >> > I have a new 2003 AD implementation and I had a question about OU
> >> > management.
> >> > I'd like to create a "VIP" OU where only two administrator accounts
> >> > would be
> >> > able to manage the users and computers in that OU. The rest of the IT
> >> > admins
> >> > would be able to manage any other users and computers. My question
> >> > is, how do you implement that security? Is it basically just going
> >> > into the VIP OU's Security tab and adding/removing the appropriate
> >> > users/groups and setting the right permissions? Thanks.
> >> >
> >>
> >>
> >> .
> >>
>
>
> .
>
Re: Configure management of OU [message #369553 is a reply to message #369335] Sat, 16 January 2010 02:08 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello Masao,

Nice to hear that the article helps you. Basically i would have post that
also, i like the descriptions inside which Jorge made for easy understanding
and working.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thank you for the link. I was able to set up my OUs and ACLs how I
> wanted by forking out from that article.
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> Yes what you request is doable and the recommended solution. Don't
>> make them admins.
>>
>> Jorge has a great article on taskpads and delegation
>> http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369. aspx
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Masao Garcia" <MasaoGarcia@discussions.microsoft.com> wrote in
>> message news:53B16300-9B5B-4DAB-BFA3-C14044243AA9@microsoft.com...
>>
>>> Sorry, I mean admins in the sense of IT helpdesk personnel. What I
>>> was
>>> planning on doing is creating a Helpdesk security group that would
>>> be able
>>> to
>>> manage the non-VIP users and computers OU. Is it possible to grant
>>> certain
>>> administrative privileges to a security group? For example, I would
>>> like
>>> the
>>> Helpdesk group to be able to join computers to the domain, but not
>>> be in
>>> the
>>> Domain Admins group. If that is possible, then I take it I would
>>> not have
>>> to
>>> tweak the VIP OU at all and do as you said and use the delegate
>>> control
>>> wizard to allow the Helpdesk group to manage the non-VIP OU,
>>> correct?
>>> "Meinolf Weber [MVP-DS]" wrote:
>>>
>>>> Hello Masao,
>>>>
>>>> If you talk about admins, do you mean domain admins? Then you
>>>> can't, any
>>>> domain administrator is able to undo all changes, because they are
>>>> an
>>>> admin,
>>>> an admin, an admin...........................
>>>> To achive what you like use "delegate control wizard" with domain
>>>> user
>>>> accounts
>>>> on that OU.
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers
>>>> no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> I have a new 2003 AD implementation and I had a question about OU
>>>>> management.
>>>>> I'd like to create a "VIP" OU where only two administrator
>>>>> accounts
>>>>> would be
>>>>> able to manage the users and computers in that OU. The rest of
>>>>> the IT
>>>>> admins
>>>>> would be able to manage any other users and computers. My
>>>>> question
>>>>> is, how do you implement that security? Is it basically just
>>>>> going
>>>>> into the VIP OU's Security tab and adding/removing the appropriate
>>>>> users/groups and setting the right permissions? Thanks.
>>>> .
>>>>
>> .
>>
Re: Configure management of OU [message #370353 is a reply to message #369007] Sun, 17 January 2010 12:05 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
Google it... Lots and lots of info for Delegation of permissions, here's
some:
http://www.windowsecurity.com/articles/Implementing-Active-D irectory-Delegation-Administration.html
http://support.microsoft.com/kb/262399
http://support.microsoft.com/kb/294952
http://support.microsoft.com/kb/279723


--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"Masao Garcia" <MasaoGarcia@discussions.microsoft.com> wrote in message
news:8EB9D37A-28FA-45C2-A097-EBE8164735FF@microsoft.com...
> Sorry, to be more specific:
>
> There are 4 employees in the IT department. Only 1 employee should have
> access to both the VIP OU and the the other OUs. I've read it's bad
> practice
> to have only one admin account for an OU in case the account gets locked,
> so
> I figured, the 1 user would have his own domain admin account and the
> administrator account as a backup. The other 3 IT employees should be
> able
> to manage everything else except for anything in the VIP OU (technically,
> I
> would like the 3 to be able to ONLY unlock a user account in the VIP OU,
> if
> that's possible. But if not, I can live with no access period.)
>
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> You didn't really elaborate. If there are more than two domain admins
>> and
>> you want to exclude them you can do it, but since they are domain admins
>> they can just add the permissions they need to gain access back to the
>> OU's.
>> The type of secure controls you need is to remove all but two users as
>> domain admins and go back and grant the others fine grained permissions,
>> via
>> the Delegation of Control wizard. It sounds like your problem is you
>> have
>> to many domain admins and you need to take control of your environment.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Masao Garcia" <MasaoGarcia@discussions.microsoft.com> wrote in message
>> news:1F83B310-8E3F-4A22-A366-2F254360C63E@microsoft.com...
>> >I have a new 2003 AD implementation and I had a question about OU
>> >management.
>> > I'd like to create a "VIP" OU where only two administrator accounts
>> > would
>> > be
>> > able to manage the users and computers in that OU. The rest of the IT
>> > admins
>> > would be able to manage any other users and computers. My question is,
>> > how
>> > do you implement that security? Is it basically just going into the
>> > VIP
>> > OU's
>> > Security tab and adding/removing the appropriate users/groups and
>> > setting
>> > the
>> > right permissions? Thanks.
>>
>>
>> .
>>
Re: Configure management of OU [message #370758 is a reply to message #369007] Mon, 18 January 2010 06:11 Go to previous message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
As long as you have two admin accounts, I wouldn't worry about how many
delegated accounts you can have. Domain Admins can reset anything anywhere.
Even if they are secured from an area, since they can retake any restricted
permissions.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Masao Garcia" <MasaoGarcia@discussions.microsoft.com> wrote in message
news:8EB9D37A-28FA-45C2-A097-EBE8164735FF@microsoft.com...
> Sorry, to be more specific:
>
> There are 4 employees in the IT department. Only 1 employee should have
> access to both the VIP OU and the the other OUs. I've read it's bad
> practice
> to have only one admin account for an OU in case the account gets locked,
> so
> I figured, the 1 user would have his own domain admin account and the
> administrator account as a backup. The other 3 IT employees should be
> able
> to manage everything else except for anything in the VIP OU (technically,
> I
> would like the 3 to be able to ONLY unlock a user account in the VIP OU,
> if
> that's possible. But if not, I can live with no access period.)
>
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> You didn't really elaborate. If there are more than two domain admins
>> and
>> you want to exclude them you can do it, but since they are domain admins
>> they can just add the permissions they need to gain access back to the
>> OU's.
>> The type of secure controls you need is to remove all but two users as
>> domain admins and go back and grant the others fine grained permissions,
>> via
>> the Delegation of Control wizard. It sounds like your problem is you
>> have
>> to many domain admins and you need to take control of your environment.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Masao Garcia" <MasaoGarcia@discussions.microsoft.com> wrote in message
>> news:1F83B310-8E3F-4A22-A366-2F254360C63E@microsoft.com...
>> >I have a new 2003 AD implementation and I had a question about OU
>> >management.
>> > I'd like to create a "VIP" OU where only two administrator accounts
>> > would
>> > be
>> > able to manage the users and computers in that OU. The rest of the IT
>> > admins
>> > would be able to manage any other users and computers. My question is,
>> > how
>> > do you implement that security? Is it basically just going into the
>> > VIP
>> > OU's
>> > Security tab and adding/removing the appropriate users/groups and
>> > setting
>> > the
>> > right permissions? Thanks.
>>
>>
>> .
>>
Previous Topic:Can domain users RDP to domain controllers?
Next Topic:To add first 2008 R2 64bit Server as DC in 2003 AD Dimaon
Goto Forum:
  


Current Time: Wed Jan 17 05:55:44 MST 2018

Total time taken to generate the page: 0.02114 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software