Assigning certain privilages

I have a windows 2000 server.  Actually I have many of them.  I have a help desk.  Now the help desk has almost domain admin rights.  I have users that forget their password a lot so we let the help desk unlock them and reset their password and all.  I also have a group of about 355 people that have the same rights as the helpdesk.  Except when they lock themselves out the help desk can not unlock them and they have to call me and my 5 man team.  Is there a way I can give the help desk permission to unlock all type of accounts without giving them domain admins?

Thanks
John
John SheehySecurity AnalystAsked:
Who is Participating?
 
oBdACommented:
You can give them only the basic permissions they need, and even give them a customized MMC task pad that doesn't leave much room for errand clicks; check out these articles:

HOW TO: Delegate Administrative Authority in Windows 2000
http://support.microsoft.com/?kbid=315676

HOW TO: Create and Edit a Taskpad View in a Saved MMC Console in Windows 2000
http://support.microsoft.com/?kbid=321143

Default Security Concerns in Active Directory Delegation
http://support.microsoft.com/?kbid=235531

Delegate Control Wizard Cannot Be Used to Remove Groups or Users
http://support.microsoft.com/?kbid=229873

Administrative Tool Menu Is Sensitive to User's Permissions
http://support.microsoft.com/?kbid=214739

Active Directory Database Size and Delegation Access Rights
http://support.microsoft.com/?kbid=197054

How To Delegate the Unlock Account Right
http://support.microsoft.com/?kbid=294952
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.