What Sort of User Access Level Shall I Give?

[alextovey]

As above, I have a few new starting IT guys, we want to start implementing access levels,
We are running AD so any suggestions and experiance would be nice. I would add in unlocking users and reset passwords as basic level.
But any other levels etc like stage 1, 2, 3, and then full admin.

thanks in advance.

[dmdougie]

What version of server are you running? In 2008, there are plenty of builtin admin levels that have certain rights associated. For example, backup operator - given permissions to take backups only leading to more senior admins who are given access to everything bar editing any OU's within the domain. You can also make your own levels. A lot of it really depends on the scale and layout of your AD. Do you have multiple sites? Do you have multiple domains / trees?

You should make up some domain level GPO's that monitor any changes made to the AD structure. Then, make up some Audit reports to filter out anyone who makes any changes at all - whether it be delete user, unlock account or even add/delete an OU.

[alextovey]

its 2008 r2 64bit.

[dmdougie]

Do you know where the pre-set Admin accounts are?

Server Manager > Roles > Domain name > builtin.

To see all the permissions you'll have to go to View along the toolbar and enable advanced features. Double click on any of the pre-set groups to view their permissions. You can add the new IT admins to more than one group. So they can start off with only having access to resetting passwords, and then somewhere down the line you can add them to the Backup operators group, event log group etc etc.

You can also makeup your own groups with whatever permissions, or you can juts alter existing ones.