Sign in
 
HomeLibraryWikiLearnGalleryDownloadsSupportForumsBlogs

none
Server 2008 R2 delegating permission to helpdesk staff.

 > 

    Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    Ok I just started a new job at a hospital and the way the it staff is set up is not to secure. Basically we are a staff of 7 managing the whole hospital. 2 of these staff are just helpdesk users. 1 is the helpdesk coordinater who creates account and all that. 1 is the manager. 1 is the network person. myself and 1 is the database admin. Basically they have it set up with 1 domain admin account which everyone of us uses. I find this unsecure as that would compromise the whole hospital. We also remote into the servers which are always logged in so when we remote we jsut make changes. Basically I want to create an admin account for each of us with domain admin rights. For the 2 helpdesk staff user I would only wish to let them be able to unlock users account and reset passwords and that basic stuff in the server, but have their domain accounts have full admin rights on local users machines incase they need to install an application or add a pritner or whatever. What would be the best way to go about accomplishing this task?. Would I also need to create new accounts for each server so anytime we need access we log into the server rather than just remote in and make the changes?
    Wednesday, December 11, 2013 4:32 PM
    |
    |

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Pixa241,

    Good to see your keen interest in improving security in your IT Infra.

    for your query i would prefere following setup.

    1. Domain Admin Group Membership for Manager and AD Admin to manage AD.

    2. For 2 HelpDesk User = Account Operator role to just unloack and resting password for users. Also, Membership to local Administrator group in each of other servers where they need to install applications.

    3. For Each User = Create domain account and grant them to login to each server for there routine task.

    4. as per best practices, to grant admin access to any network server use Security group from AD which will be then added to remote server / Desktop for granting access.

    Hope this helps you.

    Thanks & Regards,
    Amit Katkar (MCITP Windows 2008)
    ------------------------------------------------------------
    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Wednesday, December 11, 2013 4:55 PM
    |
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi Pixa241,

    Good to see your keen interest in improving security in your IT Infra.

    for your query i would prefere following setup.

    1. Domain Admin Group Membership for Manager and AD Admin to manage AD.

    2. For 2 HelpDesk User = Account Operator role to just unloack and resting password for users. Also, Membership to local Administrator group in each of other servers where they need to install applications.

    3. For Each User = Create domain account and grant them to login to each server for there routine task.

    4. as per best practices, to grant admin access to any network server use Security group from AD which will be then added to remote server / Desktop for granting access.

    Hope this helps you.

    Thanks & Regards,
    Amit Katkar (MCITP Windows 2008)
    ------------------------------------------------------------
    This posting is provided "AS IS" with no warranties or guarantees and confers no rights.


    Thanks for the tips. Anybody else got any other ideas?
    Thursday, December 12, 2013 3:58 PM
    |
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Amit's suggestions covered most of it and I'm glad to see you promoting the principle of least privilege as well.

    If you want to really lock down your servers, you could use System Frontier to delegate admin rights instead of giving your HelpDesk staff direct access. From a central web console, you can give them rights to manage specific services, scheduled tasks, run PowerShell scripts and a lot more.

    You'll also have a full audit trail so you (and any regulatory compliance auditors) can go back and see who made changes on your systems and when.

    Saturday, December 14, 2013 4:30 AM
    |
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Please start with this Wiki article about Delegating AD administration: http://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx

    My preferred method is "Using scripts running with service accounts to achieve administrative tasks". Like that you can develop the needed scripts that will be running with service accounts, compile them in exe files (Better if you protect them from being decompressed with tools like WINRAR) and then make them available for your Help Desk. Like that, they will be restricted to few operations in AD and you will be able to track what they do if you include mail notification in the script. This is an example of these scripts: http://gallery.technet.microsoft.com/scriptcenter/Reset-Active-Directory-962b1afb

    To make the Help Desk accounts as local admins on Workstation, you can use Group Policy Restricted Groups to achieve that: http://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Get Active Directory User Last Logon

    Create an Active Directory test domain similar to the production one

    Management of test accounts in an Active Directory production domain - Part I

    Management of test accounts in an Active Directory production domain - Part II

    Management of test accounts in an Active Directory production domain - Part III

    Reset Active Directory user password

    Sunday, December 15, 2013 3:43 PM
    |
    |