Personally, I see the Account Operators group as going far beyond the principle of least privilege. I simply have not run across a helpdesk that actually requires the privileges on a scale that the built-in Account Operators group provides. Most helpdesk personnel will do the majority of their account related work through joining computers to the domain, reset computer accounts, reset user passwords, and unlock user accounts.
On top of that, if you've arranged your OU structure so user accounts and computer accounts are split up in a meaningful manner, then more than likely the helpdesk personnel only need rights to do their limited tasks (that I stated above) in only a few OUs. Account Operator pretty much gives blanket full control to all user and computer accounts in all OUs and that just seems overboard to me. Not to mention (with default settings) members of the Account Operators group have the ability to log on locally to Domain Controllers which I would expect is probably something most helpdesk personnel should not be doing. Anyway, what I'm trying to say is that I much prefer to work at giving people the permissions they need to do their job and nothing more (or as close to nothing as possible). I've found that user error is the most likely type of issue to arise and when you limit the rights of users to only what they need, you end up significantly reducing your own workload by preventing major issues from occurring in the first place. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Friday, December 22, 2006 7:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate Password Resets I put the user accounts of the helpdesk personnel in the built in group, Account Operators. This is precisely why I think that group exists. -mjm Salandra, Justin A. wrote: > > I wanted to find out from all of you what ways you have delegated > password reset functions to your helpdesks. We have a product that > does this but it is continually having problems and want to know if > there are nay other ways. > > > > Justin A. Salandra > > MCSE Windows 2000 and 2003 > > Network and Technology Services Manager > > Catholic Health Care System > > 646.505.3681 > > cell 917.455.0110 > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/