Yes split all those up. Thanks, Brian Desmond br...@briandesmond.com
w - 312.625.1438 | c - 312.731.3132 From: David Lum [mailto:david....@nwea.org] Sent: Tuesday, January 10, 2012 11:47 AM To: NT System Admin Issues Subject: RE: Related to my Domain Admin thread Cool. I already have some AD groups created for some of these kinds of things. Some need to be able to create user and workstation accounts, does it make sense to have two different groups? One for creating machine and another for user? Don't think I'll have a situation where anyone would need one capability but not another, doesn't mean it won't happen. The other thing I see is they want local admin access to servers in case there's some hardware/software issue, I have that handled via restricted groups for the Service Desk team but what SE's get me with is "what if it's a DC?". Same for being able to do a file restore. Dave From: Brian Desmond [mailto:br...@briandesmond.com]<mailto:[mailto:br...@briandesmond.com]> Sent: Tuesday, January 10, 2012 8:55 AM To: NT System Admin Issues Subject: RE: Related to my Domain Admin thread Yes best practice is not to use them. They have all sorts of little bits of extra access floating around in weird places, and they cause adminSDHolder to apply to accounts that probably shouldn't be covered. Do the legwork and delegate exactly what you need to groups - even better do it in logical groupings of access (e.g. reset password, account unlock, update personal info, etc.), and then you can just add people to groups when they need the access. Thanks, Brian Desmond br...@briandesmond.com<mailto:br...@briandesmond.com> w - 312.625.1438 | c - 312.731.3132 From: Michael B. Smith [mailto:mich...@smithcons.com]<mailto:[mailto:mich...@smithcons.com]> Sent: Tuesday, January 10, 2012 10:47 AM To: NT System Admin Issues Subject: RE: Related to my Domain Admin thread Theoretically, built-in groups are historical in nature (i.e., carryovers from NT4.0 and previous) and should not be used going forward. All of their capabilities are reproducible via delegation and GPOs and User Rights Assignments. But I don't think they are going anywhere. Brian Desmond may have more insight than I do on this topic. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: David Lum [mailto:david....@nwea.org]<mailto:[mailto:david....@nwea.org]> Sent: Tuesday, January 10, 2012 10:06 AM To: NT System Admin Issues Subject: Related to my Domain Admin thread Best practice to not add users to a builtin group? "Account Operators: By default, this built-in group has no members. It can create and manage users and groups in the domain, but it cannot manage service administrator accounts. As a best practice, do not add members to this group, and do not use it for any delegated administration". http://technet.microsoft.com/en-us/library/cc700835.aspx David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
