How to block Domain Admin Accounts deletion by Account Operators

[Guest]

I'd like to delegate the routine of account administration to other users. I
added them to the Account Operators Group. It is running fine... they can't
change the Domain Admin Accounts. But they can delete them! Is it possible to
forbiden also the deletion of Domain Admin Accounts by Account Operators?

 

[Jorge de Almeida Pinto [MVP - DS]]

delegate the creation of user accounts and do not use the builtin Account
Operators group

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Paul Bergson]

To expand upon this
You would usually select an ou that your jr admins would manage and then use
the delegate control wizard to provide a security group (That way as users
come and go you can just change membership w/o having to rerun the wizard)
to level of access you want them to have.

http://www.microsoft.com/downloads/...a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en

http://support.microsoft.com/default.aspx?scid=kb;en-us;315676

Taskpad
http://www.petri.co.il/create_taskpads_for_ad_operations.htm

--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Jorge de Almeida Pinto [MVP - DS]"

 

[David Denmark]

I'd like to delegate the routine of account administration to other
users. I added them to the Account Operators Group. It is running
fine... they can't change the Domain Admin Accounts. But they can
delete them! Is it possible to forbiden also the deletion of Domain
Admin Accounts by Account Operators?

Hi Almir,

You can create a task-based delegation module that doesn't rely on built-in
delegation of security principals, with the User Management Resource
Administrator. This lets you create an easy method for delegating certain
operations to your help desk, and not worrying about "extra" operations that
are part of that privileged level, such as what you are describing.

The UMRA lets you create graphical forms connected to powerful visual
scripts that can automate or streamline virtually any type of network
operation, dealing with Active Directory or other LDAP directories. We can
create/edit/delete user accounts, contacts, groups, computers, QBDGs,
Exchange boxes, and lots of other objects all with simple, graphical drag &
drop script actions.

How many delegated users are you working with?

Thanks,

Dave Denmark,
MCSE+I, MCDBA
www.advtoolware.com