I’m a virgin Windows/AD administrator with a Linux/Unix background, so bear that in mind while reading my question(s), if you would. I’ve got a couple questions in here – some specific and some general.
I’ve got a 2k3 AD domain in which I’ve recently added three servers. These servers are a “shared application” of sorts, and require the same access credentials on each machine – and require administrative access. However, I don’t want this user account to have any elevated credentials on the domain as a whole (in other words: a domain user with administrative rights on 3 systems, and that only), and I’d much rather keep the accounts centrally managed if at all possible.
My first thoughts were to do one of the following:
1) Create a custom security group (with user) and only grant it access to that OU/those specific servers. However, I’m not sure how to do that/can’t find a way to define which privileges a security group has, or if it’s even possible to create custom definitions.
2) Make the OU “Managed by” the specific user; however, that doesn’t seem to have the desired affect.
3) Create a GPO which has a restricted group defined; however, I can’t see how I would specify a host’s local administrator group.
4) use the “delegation” feature – but I’ve not fully looked into how that works yet, and haven’t a clue how I’d utilize it.
Anyone have any suggestions/comments on how I might accomplish what I’m trying to do? I’ve currently added the domain account to the local administrator group on each server, but that’s a half-arsed solution – surely AD has to be able to assign such privileges on its own.