Different levels of administration?

G

Gleb868989642021-02-21 09:28:12

Active Directory

Gleb86898964, 2021-02-21 09:28:12

It is necessary to separate the rights and duties of administrators. There is a main account - the domain administrator, he has all the rights in the domain, and the rest - only certain ones.
By device:
The terminal server administrator has full access to the terminal server and can configure it and install programs there. But at the same time, it does not have the ability to administer an AD domain and change something there. The local machine administrator has full rights only on his PC. It cannot configure the domain and set up servers.
By group:
The administrator of group1 can modify the data of users of group2 and cannot modify the data of all other users.

How to set it up like that? How to create accounts with different administrator rights?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

V

Vladimir Korotenko, 2021-02-21
@firedragon

This typical task of hell is called delegation. Take a Book to Prepare for the BP Administration and Planning Exam

A

Alexey Dmitriev, 2021-02-21
@SignFinder

The standard approach is to write down the requirements, create a structure of security groups with different rights and a clear structure of their names, descriptions and location in AD (the latter in order to exclude unauthorized addition to these groups).
Then delegate the necessary rights to each group.
Well, then just add administrator accounts to groups.