Tuesday, January 28, 2020

Windows Server - Delegating Permission

Delegating permissions

Certain groups have computer permissions
It is important that you control who will be able to create and delete computers in the domain. By default, the Enterprise Admins, Domain Admins,Administrators, and Account Operators groups have permissions to perform some management of computer objects.
Delegate access to a smaller computer group
We recommend you delegate the Computer Objects permission to a smaller group of administrators or support personnel. For example, you might create a group containing just the desktop support team and the file server administrators. Then you could give permissions to allow your desktop support team to create computer objects in a Clients OU, and your file server administrators to create computer objects in a File Servers OU.
To delegate permissions, you can use the Delegate Control Wizard. Computer objects permissions include Create selected objects in the folder andDelete selected objects. If you want to allow a delegated administrator to move computer accounts, consider that the administrator must have the appropriate permissions both in the source container (where the computer currently exists) and in the target container (where the computer will be moved to).
Screenshot of the Delegation of Control wizard showing the Computer Objects permissions including Create and Delete.

Pre-staging computers

Visual representation of the three reasons to pre-stage computer accounts.
As a best practice we recommend you create your computer objects in advance. The is called pre-staging a computer. There are several advantages to this method.

  • Enforces delegated control. If you have delegated control to your computer OUs, then you ensure only the specific people you have identified will be able to create the computer accounts.
  • Enforces the OU structure. When Windows Server attempts to join a computer to the domain it looks for an existing object. If it does not find the object, it creates the computer object in the default Computers container. It is easy to forget to move the computer from the default container into the OUs you took the time to define and create.
  • Enforces the Group Policy settings. When you link GPOs to your computer OUs the computer is immediately within scope before the computer joins the domain.  This reduces the chance a computer will be out of compliance once it joins the domain.
at
Labels: ,

1 comment:

  1. Digital Software MarketJanuary 22, 2021 at 1:48 AM

    microsoft office 365 subscription for all your devices with exclusive monthly upgrades and new features of Word, Excel, PowerPoint, Onenote, Outlook, Publisher, Access, Supports 1 User / 5 PCs/Macs, 5 Tablets, 5 Phones Devices.

    ReplyDelete

Subscribe to: Post Comments (Atom)