Active Directory delegation
Posted on 2005-03-01
We have recently upgraded from NT4 to 2003. I am midst sorting out Active Directory delegation stuff. I have two guys on the helpdesk who need to do all the usual things i.e create & delete users, groups, contacts, shares, give 'send as' rights plus mailbox rights, change passwords and unlock accounts. They currently belong to a security group called 'SYDIT'. I have been using the delegate wizard on each OU and giving 'SYDIT' specific rights but it seems quite fiddley. So far they can do most stuff but dont seem to be able to add mailbox permissions or unlock accounts. Somebody else initally setup the security on the OU's on an 'as per request' basis so security on each OU is entirely different. Making my life hell! Basically I want them to have full rights to create, amend and manage stuff without being able to do anything too nasty such as delete or move an OU. Myself and my boss are members of the Domain Admins group so we have full rights.
Advice and help greatly appreciated!