Hi All,
I just want to ask if there is a security concern or it is not the best practice after I delegated control to our help desk staff some common tasks but I delegated it directly to our domain name and not on the specific OU's. (Kindly see attached screenshot)
Delegated tasks were:
1. Create, delete and manage user accounts
2. Reset user passwords and force password change at next logon
3. Join a computer to the domain
4. Read all user information
Do I need to remove the delegated permission because it was made on the domain itself(please give me some instructions how to do it) and do delegation again in our specific OU's or is it ok and pretend that I made the right thing? please advise.
Forest functional level: Windows server 2008R2
Domain controllers were mixed of winserver2012 and winserver2008R2.
Appreciate any comments/ suggestions.