Active Directory - IT User's & Setting up Restricted Access

oB1

Hi All,

OK so here is the scenario:

>>> I am an IT Network / System Administrator for my company - i am responsible for basically everything that happens in the IT department.

>>> our company is expanding, so much so, that i rolled out a new IT Help desk and hired in a few Junior guys with minimal experience to look after the basic stuff, password resets, account modifications, general troubleshooting, and all of the basic low-level stuff you would expect for a level 1 desk.

>>> This desk is only live about 1 month.. so it is VERY fresh - it was setup in a kind of a rush to fit in with the corporate budget and all of the business formalities

>>> So i had a very small amount of time, to get systems in place, all of the basic stuff was covered, there office location, what kind of desks they would have, what PC hardware / software would they need... we got a small office setup.. with a few new, bog standard desktops and i setup some avaya contact center phones to integrate into my existing Microsoft LYNC IP Phone system to get a " call center " experience going... the end user would call an extension, and get a list of VDN options etc.

>>> from an end user prospect, it all works well so far... no big complaints.. but where still in the " teething period " like anything new...

>>> the MAJOR problem at the moment is... the help desk agents we hired, are good guys.. they are all very respectable etc. but there IT knowledge is very junior, and they require a good bit of training...

>> They are a member of most admin groups.. some restrictions apply but not many... the big issue is... they are plane and simple messers.. some of them know a little more IT techy stuff that others.. so they have started to " mess " around in the corporate infra. IE adding themselves into all of the Admin groups under the sun... changing there display names ... basically taking advantage of there access.


I know i can go into Group policy / AD and modify each and every little thing.. but isn't that too time consuming? - to be perfectly honest, ive never had to restrict an IT users access before.. so never actually had this issue..

i basically only want them to:

>> reset passwords ONLY in certain OUs i grant them access to

>> Modify members in certain OUs etc -

for example, i have all the end users under one Primary OU called SITE USERS >> Department >> Floor etc... but then i have separate OUs for special departments like for - Accounts / I.T. / Human Resources / Senior Management ... and then i have separate OUs for offsite locations.. I don't want the Help desk agents to be able to modify there own accounts... so if i put them into a folder called Help desk under the I.T. OU i don't want them to be able to modify that

i also only want them to be able to do certain things.. like only be able to RDP onto certain servers.. perform only certain actions in AD... like i don't want them to be able to delete users... only Mark for deletion in the description.. and disable the user... i only want them to be able to add a certain number of predefined groups to users in AD... like i don't want to be able to add, Mary, the janitor, to the enterprise admin group etc.

i hope you get the idea.. i know i can do most of this in GPOs etc..

but ive never had to do this before.. any opinions, ideas past experiences, or tools, might also be useful.

Robert

LoGiE

Seems pretty simple really, remove them from the security groups and tell them they'll be out on there ear if they do it again. There's plenty of junior admins out there with far more cop on. Do you really want 'messers' in your environment?? :eek:

rolion

It's called Role Delegation...search for "How to Delegate Administrator Privileges in Active Directory" !

...and...

If you pay peanuts ,you get monkeys !!!
What's the reason of not getting IT outsourced and/or senior IT Consultants to do the work !?:)

Regards...

oB1

rolion wrote: »

It's called Role Delegation...search for "How to Delegate Administrator Privileges in Active Directory" !

...and...

If you pay peanuts ,you get monkeys !!!
What's the reason of not getting IT outsourced and/or senior IT Consultants to do the work !?:)

Regards...

Completely agree with you RE: Hiring Monkeys, i might be in charge of the IT Department - but the finance director has the last word RE: budget / funding...

ideally i would love to eliminate the help desk, and keep the the " IT Department "
... and hire in a junior guy, to work under me... when i say junior, i mean i recent college grad of IT.. and small bit of work experience.. but know what he is talking about etc.

but Management, like the idea of the Helpdesk.. and its cheaper ( abit )

rolion

Hi Robert,

Thanks for reply...and no offence re peanuts !!!

I found that some companies keep a minimum number of internal staff dedicated to run as IT Support and/or perform as 'first line of contact' for easy,basic task with internal users and outsource to 'external' companies or consultants the 'heavy' stuff !

You may discover that it might work better for you been the IT Technical Manager and IT Financial Manager,all what you doing is managing the relation with external person/people !!!
Also,'the external' has a broader exposure and experience and can bring a better IT Management perspective and strategy within your organisation ! Without risking internal jobs...

Now ,back to your AD issues,let me know if that does the trick !

Regards

oB1

rolion wrote: »

Hi Robert,

Thanks for reply...and no offence re peanuts !!!

I found that some companies keep a minimum number of internal staff dedicated to run as IT Support and/or perform as 'first line of contact' for easy,basic task with internal users and outsource to 'external' companies or consultants the 'heavy' stuff !

You may discover that it might work better for you been the IT Technical Manager and IT Financial Manager,all what you doing is managing the relation with external person/people !!!
Also,'the external' has a broader exposure and experience and can bring a better IT Management perspective and strategy within your organisation ! Without risking internal jobs...

Now ,back to your AD issues,let me know if that does the trick !

Regards

Ha Ha - No worries Thanks for your response

Basically, i have been within this company since the start, i developed and nursed the IT department / systems from the ground up... i was / am responsible for EVERYTHING relating to IT / comms / technology - so ive alot of weight on my shoulder, but, i am and want to remain hands on / technical.. before i introduced the IT help desk it was myself in charge and doing basically everything from resetting passwords to installing the new VOIP infra. - back in 2007 i hired a junior IT admin ... he basically looked after everything i done.. with abit more """ juniorority """ ( its not a word i know ) ... i looked after the bigger stuff.. but i basicaally trained him on everything.. he was my second in command.. but.. he left to pursue travel...

so thats when we discusssed the helpdesk.. i would look after everything from a back office point of view.. all of the server systems.. all of the eequipment / infra... these guys basically sit in a small office.. and answer phones.. for the basic of stuff, PW resets.. small troubleshooting.. but if it was an issue with ANYTHING else.. or if it was an outage.. the phone redirects to me.. the helpdesk doesnt even get those calls...

as i mentioned, there good guys.. but there young immature.. so there "messers" i personally would kick them out like the drop of a hat... im a business man.. i wear i suit and tie.. and run a pretty tight ship.. i like my things organised and properly setup.. becuase i setup the entire IT infra / AD / Exchange all of the backend and end user stuff.. its my baby if you get me..so i HATE ANYONE messing around in there... i like a proffesional enviroment.. and there not like that at all!

too answer your question about the outsourcing... i wouldnt do that if you paid me.. i HATE the idea of outsourcing.. i wouldnt let any other company / person look after my IT Equipment! id have a freak!

As i mentioned, i dont sit back and make the decisions from my chair.. im very much hands on.. and i want it to stay that way.. i am seniour and i like being in control of it all.. but i still want to maintain the hands on stuff.. i wouldnt have it any other way

Robert

rolion

Robert,i appreciate you reply,BUT...sometimes you need a third perspective of your baby's setup !
And when i say that i mean that by doing everything your way,you could easily overlook something that it may prove to be critical or important at a later stage !! Also,i found sometimes,in some places that the IT GUY created an unique setup so that the organisation got stucked with the chap until pension OR no IT dosumentation on anything IT related !! And..it worked,true,but never at the full potential and cash/investment return ! Other times,i've been asked to call and run a full ICT audit on the office network,without current IT guy's knowledge, just to discover many issues...one good one,the owner thought is doing backups on tape and every day been swapped and kept offsite when in reality there were two hard drives rotated and kept in same room !! Tough call...and you know why ?!? I've been paid and thanked for audit and...they call back the chap and asked to implement my recommendations...just to discover that they are ...friends on every friday night !!

Which brings me to a good Q:how "friend" you have to be with your IT support supplier AND how much trust you can have !??

I'm coming from a System Engineer background (not System Admin) and i have exposure to many ,many sites ! Each site is created unique while respecting the KISS principle ! I cannot work every day in same office,same desk,same people ...

What methodology do you follow in your organisation,what type of helpdesk solution (software-ise) do you use !?

Regards

druidhill

Hi Robert,

as mentioned in other replies, this can be done through AD and delegate control, group policy etc.

TBH, it is a bit alarming for you as the main IT person to be asking a question like this. I would advise that you perhaps look into your company providing some training for you, like MS certifications or something that will benefit you in work.

It might be of benefit to get some sort of external IT audit of your network, and you could implement the recommendations yourself. It could be money well spent.

Rolion has provided some good advice here.

Also, you as the IT guy need to sort out your junior staff, and it starts with you. You're their boss, not their friend. The ones worth keeping will respect you for it.

I know what it is like being the main person responsible for all IT aspects in a company, it can be very overwhelming and under-appreciated by management.

Please take my comments as they are intended - constructive advice.

Mossess

Hi Robert, Rolion and Druidhill are speaking a lot of sense. Get some training or at least do some self study, if you want to remain hands on then you have to study study study.

I wouldn’t worry too much about being heavy handed with the helpdesk staff, restrict their access and focus their minds on something different. If they are unqualified technical secretaries they will won’t be with you for long, the odds are that they will move on before they settle down.