Limited Admin roles
Peter suggested that I post this here:
I would like to see great granularity in the control allowed to Limited Administrators in SEP. I recently posted on this topic and it didnt gather much steam.
I am not sure if my organization is representative of many others, but here we have a Systems group and a Desktop group. I manage all of the back end and work closely with the Desktop group to resolve any client issues. We want to allow limited control of the SEP console to the Desktop group. While its good that I can grant them control over the desktop environment and restrict them from seeing any of our servers, I also would like the ability to control it a littler further.
For example, there are currently 3 levels of Administrators (System Admin, Admin, and Limited Admin). Currently you can only grant a Limited Admin group rights of Full Control, Read-Only and No Access. This doesn't really work for our environment. I would like to be able to further restrict if they could create or delete groups, import an OU or container, assign install packages, etc.
Follow Up Question
So if a limited admin had the ability to create groups, would you want them to have the ability to change groups, or would you prefer to have ability to just remove create admin accounts from the full admin account?
I think all of the tasks, or
I think all of the tasks, or at least most of them, that can be done under the System Admin role should be configurable. So if I create a new admin, I would like to be able to grant/deny them the ability to create groups, delete certain groups, import ou's, create packages, etc. I may want to allow the admin to create groups, and only delete the groups that they create, and disable the ability to import an OU.
Right now, I can only give full access, read only or no access. Those are pretty broad rights. I like that I can restrict what groups that the admin can see, but If I want to give them the ability to do anything to a group I have to give them full access. This allows them to delete any group that they would have access to and import an ou, etc.
Another note for this. I
Another note for this. I basically want to create a read-only account, only capable or viewing and generating reports. I can do this somewhat, but that limited admin can also change the password and change the Log On Attemp Threshold, can uncheck if that account gets locked out, etc. What good is that?
I Agree!
We just ran into an issue on our SEPM server that was likely caused by a limited admin incorrectly setting a client to user mode. Since we don't utilize user mode, I would love to take that feature away from limited admins. That's just one example.
I like to compare this to the Antivirus Policies, where you can padlock just about each and every setting, preventing end-users from making changes.
I would love the ability to "padlock" features available to limited admins, so they can't use those features.
Jon
Would you like to reply?
Login or Register to post your comment.