Securing Active Directory 1

[NYR]

Hello,
Does anyone have any suggestions on how to secure AD? I have people who need to create and modify user accounts in AD, although I want to ensure they do not have the ability to delete or remove any accounts, groups, OUs, etc. Any help would be greatly appreiciated.

 

[Davetoo]

Delegate them control over an OU and place only the accounts in that OU that you want them to have the ability to make changes to.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[NYR]

Sounds good, although all our users are in this one OU, about 3000 of them. Is there a way to delegate them access to this one OU and restrict them from others? If so, how? And can I restrict them from deleting stuff? I have heard of this "Delegation of Control Wizard". Is this what you are referring too? Thanks

 

[Davetoo]

If all of the users are in one OU, then if you delegate control they can control all of the users in that OU. If that's what you want, then you're fine.

If you don't want that, then you'll need to create a new OU, move the users into that OU that you want someone to be able to manage, then run the delegation wizard to grant them the authority as you see fit. I forget exactly the options, but you have pretty good control over what you delegate.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[NYR]

Thanks. I will give that a try.