Three resources for delegating rights |
 |
EXPERT RESPONSE FROM: Roberta Bragg
|
|
|
|
| > |
QUESTION POSED ON: 01 March 2005
How would you go about implementing security based on the principle of least privilege for a helpdesk staff in an eight domain forest? I have granted and denied rights over certain OUs through delegation or security settings. Those that are on the helpdesk also maintain user shares, backup operations, enterprise AV, etc which falls over into file and data security. I would rather not become too granular with this because of documenting and reporting on the configuration is difficult, unless you have a way to list all user security and privileges. I do not believe that my efforts have been in vain, but I would like to get your input so that I can verify and strengthen my work.
|
|
| > |
EXPERT RESPONSE
I'd start, like it appears you did, by determining what the helpdesk needs to do and then delegating these rights only over the OUs that they need them for. Three important resources that may help you are the best practices guides and appendices for delegating rights and the tool dsrevoke.exe. Dsrevoke.exe can be used to list (help you create reports) delegated rights in Active Directory and also to remove delegated rights.
|
|
|
|
|
|
|
|
Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and
answer pairs from more than 250 TechTarget industry experts.
|
|
|
|
|
|
|
|
|
|
|
|
