none
Prevent help desk with "Manage users and Groups" from deleting administrators RRS feed

  • Question

  • I am using Project Sever 2013 with Project Server permissions model.  I want to delegate the creation of accounts to our help desk.  I cannot find a way to prevent the help desk from deactivating or deleting high level accounts such as administrators.  AD Sync is not turned on and can't be due to the fact that we have multiple domains with a one way trust.  Is there a way around this?  
    Thursday, October 3, 2019 3:06 PM

Answers

  • Chad --

    Your situation is what I describe as a "training and performance" issue.  If your Help Desk staff have the Manage Users and Groups permission, they can add or remove users in ANY group, including the Administrators group.  This means that you need to train them NOT to touch the users in the Administrators group, and then hold them accountable for their actions.  If you do not have the authority to mandate this, then enlist the aid of an executive in your organization who supports your use of Project Server 2013, and who has the authority to mandate it.

    Again, I want to stress to you that there is no way to configure the permissions in PWA to prevent the Help Desk from adding or removing users to the Administrators group only.  Hope this helps.


    Dale A. Howard [MVP]

    • Marked as answer by Chad Thomsen1 Monday, October 7, 2019 1:03 PM
    Thursday, October 3, 2019 4:01 PM
    Moderator

All replies

  • Chad --

    Your situation is what I describe as a "training and performance" issue.  If your Help Desk staff have the Manage Users and Groups permission, they can add or remove users in ANY group, including the Administrators group.  This means that you need to train them NOT to touch the users in the Administrators group, and then hold them accountable for their actions.  If you do not have the authority to mandate this, then enlist the aid of an executive in your organization who supports your use of Project Server 2013, and who has the authority to mandate it.

    Again, I want to stress to you that there is no way to configure the permissions in PWA to prevent the Help Desk from adding or removing users to the Administrators group only.  Hope this helps.


    Dale A. Howard [MVP]

    • Marked as answer by Chad Thomsen1 Monday, October 7, 2019 1:03 PM
    Thursday, October 3, 2019 4:01 PM
    Moderator
  • Thanks for the answer as I was afraid of this.   While I understand what you are saying the software should have controls in place to do what I am asking.   Microsoft Active Directory has this, but Project Server does not?  Oh well, maybe they can add it in later. 
    Monday, October 7, 2019 1:06 PM