User Permissions
billybob01
Member Posts: 504
in Off-Topic
I want to restrict a couple of my users. They both at the moment have Domain Admin rights as they handle the helpdesk, but now i want to restrict their permissions but still allow them to use Active Directory users and computers and be able to browse network folders.
Comments
-
Megadeth4168 Member Posts: 2,157What kind of rights do you want them to have in Active Directory?
You could Delegate Control or put them in specific groups like Account Operators. -
sprkymrk Member Posts: 4,884 ■■■□□□□□□□Until you remove them from Domain Admins, there is little you can do to restrict them. Once you do, you have many options. Megadeth mentioned a couple good ones.All things are possible, only believe.
-
blargoe Member Posts: 4,174 ■■■■■■■■■□Your helpdesk are in Domain Admins?!??!?!?!?!?
At most, they should be no higher than account operators. If you only want them to be able to modify certain users you can use delegation of control.
For the network folder access, I typically give them NTFS permissions at the top of the network share as needed. Also Print Operators rights for the print server.IT guy since 12/00
Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
Working on: RHCE/Ansible
Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands... -
billybob01 Member Posts: 504i also need them to be able to copy files and folders into user areas like their own drive and home folders, i work at a Uni so the students are restricted in what they can do, hence they come to the helpdesk if they accidently delete something and need it installed back into their own area or home folders. Would NTFS permissions on the root network share do this or is their an easier way?
-
sprkymrk Member Posts: 4,884 ■■■□□□□□□□billybob01 wrote:i also need them to be able to copy files and folders into user areas like their own drive and home folders, i work at a Uni so the students are restricted in what they can do, hence they come to the helpdesk if they accidently delete something and need it installed back into their own area or home folders. Would NTFS permissions on the root network share do this or is their an easier way?
How about Shadow Copies if you are keeping the home folders on a W2K3 server? Then the users can replace their own stuff if they delete it.
Otherwise just do like mentioned previously and either delegate the User management (password reset, etc.) stuff to them as a group (Helpdesk) or at the very least make them Account Operators and then grant the appropriate permissions to the top level directory(s) to the Account Operators or Helpdesk group.All things are possible, only believe.