Domain Admin and Exchange Admin Group

TheMSsForum.com: The Microsoft Software Forum

One member of our security team has requested to be made a
member of the Domain Admins and Exchange Admins group. I
see this as being a risk with his past experiences.

How can I give him rights to create domain user and
exchange mailboxes without giving him rights to the groups
above.

I know you feel for me when I say I can live with giving
him access to create accounts but not actually being able
to restart a server or look at someone elses email.

Any assistance is appreciated....
Top

RE: Domain Admin and Exchange Admin Group by cedric

cedric
Tue Oct 05 06:03:03 CDT 2004

"Olsen" wrote:

> One member of our security team has requested to be made a
> member of the Domain Admins and Exchange Admins group. I
> see this as being a risk with his past experiences.
>
> How can I give him rights to create domain user and
> exchange mailboxes without giving him rights to the groups
> above.
>
> I know you feel for me when I say I can live with giving
> him access to create accounts but not actually being able
> to restart a server or look at someone elses email.
>
> Any assistance is appreciated....
>

You could delegate controle to that person on domain level en give him the
rights of whatever you want:

Go to AD Users and Computers
right klik (on your DC) and klik on delegate controle
klik next
enter the user object of that person
klik next
klik radio button: Create a custom task to delegate
klik next
klik radio button: Only the following objects in the folder
klik an objects that you want the user to have rights to create and/or delete
enable : Create selected objects in this folder and delete selected objects
in this folder (if you want him to create and delete objects)
Do this for every object you want him to create or delete

when done selecting objects klik next
give him the right permissions you want him to have
klik next
klik finish

your done!

Top

RE: Domain Admin and Exchange Admin Group by Olsen

Olsen
Tue Oct 05 07:35:11 CDT 2004




>-----Original Message-----
>"Olsen" wrote:
>
>> One member of our security team has requested to be
made a
>> member of the Domain Admins and Exchange Admins group.
I
>> see this as being a risk with his past experiences.
>>
>> How can I give him rights to create domain user and
>> exchange mailboxes without giving him rights to the
groups
>> above.
>>
>> I know you feel for me when I say I can live with
giving
>> him access to create accounts but not actually being
able
>> to restart a server or look at someone elses email.
>>
>> Any assistance is appreciated....
>>
>
>You could delegate controle to that person on domain
level en give him the
>rights of whatever you want:
>
>Go to AD Users and Computers
>right klik (on your DC) and klik on delegate controle
>klik next
>enter the user object of that person
>klik next
>klik radio button: Create a custom task to delegate
>klik next
>klik radio button: Only the following objects in the
folder
>klik an objects that you want the user to have rights to
create and/or delete
>enable : Create selected objects in this folder and
delete selected objects
>in this folder (if you want him to create and delete
objects)
>Do this for every object you want him to create or delete
>
>when done selecting objects klik next
>give him the right permissions you want him to have
>klik next
>klik finish
>
>your done!
>
>.
How about in a WINDOWS NT4.0 Domain?

(havent migrated yet)
Top

Re: Domain Admin and Exchange Admin Group by Joe

Joe
Tue Oct 05 19:03:24 CDT 2004

The only people who should get that access are people whose job it is to perform
those functions daily. If a security guy came to me and told me he needed it I
would say very unnice things about him. It is the worst thing you can do for
security.

Since you are NT4, if this person has to have it and management backs him, you
have no choice to do it or to create a website that can do the work on his
behalf through proxy. Though I wouldn't give domain admin, I would give account
operator with the exchange admin.



--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net



Olsen wrote:
> One member of our security team has requested to be made a
> member of the Domain Admins and Exchange Admins group. I
> see this as being a risk with his past experiences.
>
> How can I give him rights to create domain user and
> exchange mailboxes without giving him rights to the groups
> above.
>
> I know you feel for me when I say I can live with giving
> him access to create accounts but not actually being able
> to restart a server or look at someone elses email.
>
> Any assistance is appreciated....
Top