By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
How would you go about implementing security based on the principle of least privilege for a helpdesk staff in an eight domain forest? I have granted and denied rights over certain OUs through delegation or security settings. Those that are on the helpdesk also maintain user shares, backup operations, enterprise AV, etc which falls over into file and data security. I would rather not become too granular with this because of documenting and reporting on the configuration is difficult, unless you have a way to list all user security and privileges. I do not believe that my efforts have been in vain, but I would like to get your input so that I can verify and strengthen my work.
I'd start, like it appears you did, by determining what the helpdesk needs to do and then delegating these rights only over the OUs that they need them for. Three important resources that may help you are the
best practices guides
for delegating rights and the tool
. Dsrevoke.exe can be used to list (help you create reports) delegated rights in Active Directory and also to remove delegated rights.