Matt S wrote:
> Hi,
>
> I couldn't find an answer on the net, however apologies if this has
> already been posted somewhere.
>
> The situation is this, we are running SBS 2003 Premium (using SQL
> server). For several years I have been the sole domain admin, however
> now I can't allocate enough of my time to carry out all domain admin
> tasks.
>
> Therefore I would like to allow one of our users, who is IT literate
> to help me manage the tasks of adding new users, setting up computers
> for users, recovering lost passwords, unblocking locked accounts etc.
>
> However if I create a new domain admin account for him to use for this
> purpose, how do I restrict the following:
>
> 1. Gaining Access to folders of company directors - I could put a deny
> right against the folders, but couldn't he just take ownership of the
> folder?
> 2. Deleting users from the system?
> 3. Accessing an sql server table containing employee salaries? - again
> I can put a deny right but couldn't he override this?
>
> The above may sound paranoid, as I do trust the employee, however I do
> need to ensure I undertake due diligence with company IT security.
>
> Any help would be appreciated.
1. You must have complete faith in anyone who is granted Domain Admin
privileges.
2. If you want to offer a subset of this, create a group accordingly,
and grant the relevant privileges to the group. ISTR that SBS2003 had a
group for this purpose, but I don't have one handy to look at right now.
--
Steve Foster
For SSL Certificates, Domains, etc, visit.:
https://netshop.virtual-isp.net
Similar Threads
Linear Mode
