Three resources for delegating rights
How would you go about implementing security based on the principle of least privilege for a helpdesk staff in an eight domain forest? I have granted and denied rights over certain OUs through delegation or security settings. Those that are on the helpdesk also maintain user shares, backup operations, enterprise AV, etc which falls over into file and data security. I would rather not become too granular with this because of documenting and reporting on the configuration is difficult, unless you have a way to list all user security and privileges. I do not believe that my efforts have been in vain, but I would like to get your input so that I can verify and strengthen my work.
I'd start, like it appears you did, by determining what the helpdesk needs to do and then delegating these rights only over the OUs that they need them for. Three important resources that may help you are the best practices guides
for delegating rights and the tool dsrevoke.exe
. Dsrevoke.exe can be used to list (help you create reports) delegated rights in Active Directory and also to remove delegated rights.
This was first published in March 2005