I have to provide a group Jr. Sys Admins limited access to a domain controller for the purpose of limited Active Directory User and Group administration (i.e. user creation, password reset, etc.) I have implemented delegation to limit the scope of tasks the Jr. Sys Admins may execute on the Active Directory. Some of these users use macOS, so using Remote Server Administration Tools like one might use on a Windows machine is not an option for them.
As such I would like to give them RDP access to a domain controller. I'd like them to be able to open Active Directory Users and Computers (without prompting for administrator credentials) but limit their access to the remainder of the system as much as possible. Note: I may need to give them access to a few other items for other related job responsibilities.
- What is the best way to accomplish this?
- If imposing restrictions via Group Policy is the best method, what is the most efficient way to construct a policy that would accomplish my stated objective?
Best Answer
I believe I was able to achieve the desired results through a combination of configurations.
Run only specified Windows Applications: dsa.msc, mmc.exe
Prevent access to the command prompt
Prevent access to registry editing tools
Remove and prevent access to the Shut Down, Restart, Sleep and Hibernate commands