My NT security administration has been very poorly managed because they are
too many people managing it. I am hoping to distinguish them some as
"Accounts Operator", some as "Server Operator" and eventually 1 or 2 people
only as "Domain Administrator"s on the network.
Below are the problems I am yet to resolve and I would appreciate to receive
any input and suggestions from you.
1. So far, I have discovered only "domain administrator" can do "copy
profile" process successfully from Start-Settings-Control Panel-System-User
Profiles" menu. My company is using "Mandatory Profile" as the standard
profile type on the network.
I am trying to find out how Account Operators and Server Operators can do it
without fails with error message "Copy Profile Error". So far, the only way
they can do copy profile error without failing is if the source profile user
accounts carries "Everyone" security permission. This discovery certainly
does not help me much because by default, the security permission of all
profile users are not "Everyone" anyway.
2. As people who are assigned as Account Operators or Server Operators
individually are not coming from the same department. This has complicated
my security design. I am hoping that any changes made by Account Operators
can be controlled/managed/audited by Server Operators and Domain
Administrators. I am hoping that Account Operators cant look at and amend
any changes made by Server Operators and Domain Administrators.
Are these 2 features achievable at all ? Your contribution to my concerns
would be highly appreciated.