User Permissions

I want to restrict a couple of my users. They both at the moment have Domain Admin rights as they handle the helpdesk, but now i want to restrict their permissions but still allow them to use Active Directory users and computers and be able to browse network folders.

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

Megadeth4168

What kind of rights do you want them to have in Active Directory?

You could Delegate Control or put them in specific groups like Account Operators.

sprkymrk

Until you remove them from Domain Admins, there is little you can do to restrict them. Once you do, you have many options. Megadeth mentioned a couple good ones.

blargoe

Your helpdesk are in Domain Admins?!??!?!?!?!?

At most, they should be no higher than account operators. If you only want them to be able to modify certain users you can use delegation of control.

For the network folder access, I typically give them NTFS permissions at the top of the network share as needed. Also Print Operators rights for the print server.

billybob01

i also need them to be able to copy files and folders into user areas like their own drive and home folders, i work at a Uni so the students are restricted in what they can do, hence they come to the helpdesk if they accidently delete something and need it installed back into their own area or home folders. Would NTFS permissions on the root network share do this or is their an easier way?

sprkymrk

billybob01 wrote:

i also need them to be able to copy files and folders into user areas like their own drive and home folders, i work at a Uni so the students are restricted in what they can do, hence they come to the helpdesk if they accidently delete something and need it installed back into their own area or home folders. Would NTFS permissions on the root network share do this or is their an easier way?

How about Shadow Copies if you are keeping the home folders on a W2K3 server? Then the users can replace their own stuff if they delete it.

Otherwise just do like mentioned previously and either delegate the User management (password reset, etc.) stuff to them as a group (Helpdesk) or at the very least make them Account Operators and then grant the appropriate permissions to the top level directory(s) to the Account Operators or Helpdesk group.