Solved

adding users and managing mailboxes without domain admin rights

Posted on 2004-09-01
7
234 Views
Last Modified: 2013-12-03
I have a need for our help desk to add/delete user accounts plus manage distribution lists in a windows 2000 environment. I don't want them to have full rights. What is the easiest way?
0
Comment
Question by:gaskew
  • 3
  • 3
7 Comments
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 11953822
this is kind of a catch 22 problem,,,, think about it,,, if you give them rights to add/delete accounts,, this means that they can also change anyone's password, INCLUDING any administrator account... so if you enable a user to add/delete accounts,, you are essentially giving them the administrator password as well,,, since they can change it at any time.   Of course you will know it has been changed,,, since you couldn't log on with the old password anymore.  
0
 
LVL 22

Accepted Solution

by:
kristinaw earned 250 total points
ID: 11953973
gaskew,

actually, you can delegate the rights to manage ONLY the users you wish your help desk to have rights to. This is not a problem and is quite common. make a test OU and move the users into it you want your help desk to manage. Right click the OU and select delegate, then give your help desk users the create/delete/manage check box as well as the reset password box if you want them to be able to do that as well.

you can get very granular with the permissions for this kind of stuff. we do this in my environment and it works quite well. check the advanced security after you have delegated the rights to get an idea of what i mean.

kris.
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 11954309
this might work,,, but all of the distribution lists in question would have to be under that OU as well.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 22

Expert Comment

by:kristinaw
ID: 11954360
mike,

distribution lists aren't managed that way. they have a check box that gives the user permission to update group membership. If the box is checked and the appropriate user is filled in in the box, then the user can manage this group no matter where the object is located in AD. If you want help desk users to be able to manage these lists through the ADUC, then you can create a separate OU for them and delegate permissions on the group object under advanced security.

"this might work", it will work. i don't answer questions unless i'm sure of what i'm talking about.

kris.
0
 

Author Comment

by:gaskew
ID: 11954608
Thanks for the quick response
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 11954699
kris,

why are you dogging on me???  FYI ...  ive answered some of your questions in the past

"this might work" what i meant by that is that it would work if it was set up correctly,,, but every environment is different so i never say this WILL work.
0
 
LVL 22

Expert Comment

by:kristinaw
ID: 11956393
mike,

sorry, didn't mean to dog you. but, you can delegate rights to do things only on certain users. kind of one of the big pluses about AD. didn't mean to sound harsh.

have a good one,

Kris.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question