Geekzone: technology news, blogs, forums
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


523 posts

Ultimate Geek

#142906 28-Mar-2014 09:31

Hi All,

I am currently looking at improving and securing our IT service desk access to servers.

I tried to find what other companies currently give access to there service desk however I couldn't find anything.

General requests are resetting passwords, folder permissions, restarting print spoolers, creating new AD users / exchange mailboxes 

Currently the accounts have domain admin so they can do everything.

I would like to remove the following:

- Shutting down / restarting servers
- Installation of programmes

Does anyone know what else I could remove or what other companies have in place currently as a standard?


Create new topic
99 posts

Master Geek

  #1015100 29-Mar-2014 16:04
Send private message

Hi Mate,
There are multiple ways to do this. With security permissions\enhancements generally you're best practice is to start with a tight set of permissions and work your way up from there as needed. Personally i would start by removing DA access and look at setting up Active directory groups that are a member of the local server groups you want SD to gain access to.
For example if you setup an AD group called 'SD-Power Users' and make that group a member of the local 'Power Users' group on your servers via policy. Then you can add the service desk accounts as members of this group.

If you then decide that Power Users has shutdown rights or other rights that you want to restrict then you can load up 
Navigate to:
Security Settings\Local Policies\User Rights Assignment
Shut down the system (remove the group from there)

Another way is to setup a matrix like chart of the access level you want to grant vs whats being offered by the default local groups in Windows and fine tune it via 'User Rights Assignment'.
With Active Directory you can look at setting delegate access to Certain AD containers that the service desk can add\remove\move from rather than the entire forest.
With File Server permissions again you can set up multiple AD groups that have restricted NTFS access to the File Server (i.e. only allow access to the root path of profiles)

It all depends on how granular you want to get and to find the 'right' balance between local group rights and User Rights Assignment rights.

Create new topic

News and reviews »

New Air Traffic Management Platform and Resilient Buildings a Milestone for Airways
Posted 6-Dec-2023 05:00

Logitech G Launches New Flagship Console Wireless Gaming Headset Astro A50 X
Posted 5-Dec-2023 21:00

NordVPN Helps Users Protect Themselves From Vulnerable Apps
Posted 5-Dec-2023 14:27

First-of-its-Kind Flight Trials Integrate Uncrewed Aircraft Into Controlled Airspace
Posted 5-Dec-2023 13:59

Prodigi Technology Services Announces Strategic Acquisition of Conex
Posted 4-Dec-2023 09:33

Samsung Announces Galaxy AI
Posted 28-Nov-2023 14:48

Epson Launches EH-LS650 Ultra Short Throw Smart Streaming Laser Projector
Posted 28-Nov-2023 14:38

Fitbit Charge 6 Review 
Posted 27-Nov-2023 16:21

Cisco Launches New Research Highlighting Gap in Preparedness for AI
Posted 23-Nov-2023 15:50

Seagate Takes Block Storage System to New Heights Reaching 2.5 PB
Posted 23-Nov-2023 15:45

Seagate Nytro 4350 NVMe SSD Delivers Consistent Application Performance and High QoS to Data Centers
Posted 23-Nov-2023 15:38

Amazon Fire TV Stick 4k Max (2nd Generation) Review
Posted 14-Nov-2023 16:17

Over half of New Zealand adults surveyed concerned about AI shopping scams
Posted 3-Nov-2023 10:42

Super Mario Bros. Wonder Launches on Nintendo Switch
Posted 24-Oct-2023 10:56

Google Releases Nest WiFi Pro in New Zealand
Posted 24-Oct-2023 10:18

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.