Active Directory delegation

Posted on 2005-03-01
Medium Priority
Last Modified: 2010-03-18
Hi there

We have recently upgraded from NT4 to 2003.  I am midst sorting out Active Directory delegation stuff.  I have two guys on the helpdesk who need to do all the usual things i.e create & delete users, groups, contacts, shares, give 'send as' rights plus mailbox rights, change passwords and unlock accounts. They currently belong to a security group called 'SYDIT'.  I have been using the delegate wizard on each OU and giving 'SYDIT' specific rights but it seems quite fiddley.  So far they can do most stuff but dont seem to be able to add mailbox permissions or unlock accounts.  Somebody else initally setup the security on the OU's on an 'as per request' basis so security on each OU is entirely different.  Making my life hell!  Basically I want them to have full rights to create, amend and manage stuff without being able to do anything too nasty such as delete or move an OU.  Myself and my boss are members of the Domain Admins group so we have full rights.  

Advice and help greatly appreciated!

Question by:byrca
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 14

Expert Comment

by:Joseph Hornsey
ID: 13436594

Here's what I recommend:

1. To give them all the add/delete users and groups stuff, make them 'Account Operators'.  This will let them create users, groups and contacts as well as unlock accounts and change passwords.
2. To allow them to create shares, you'll have to delegate that using the wizard.  Otherwise, make them 'Server Operators'.  As far as I know, though, they'll be able to delete OUs if they're a member of that group.  It also allows them to do tons of other things, so make sure you want them to have those types of rights before you do this.
3. For Exchange 2000/2003, go to the Organization level and delegate control to them as Exchange Administrators.  You might want to do a little research to find out what all this will allow (because it will do more than just give them the ability to give 'send as' rights  and create mailboxes) and if it's too liberal then you'll have to manually delegate there as well.  This, however, gets really nasty.  If you're running Exchange 5.5 go to the Organization, Site and Site Configuration containers and give them Exchange Admin role on each.

Hope that helps.


Author Comment

ID: 13436734
Thank you! thats a great help. Ive added them to the account operators group and tested lockouts etc - seems ok.  Is there a list of rights that this account operators group includes? Also, for exchange can somebody pls tell me exactly what the 'exchange administrators' gives rights to?

Cheers ears

Author Comment

ID: 13445167

Fab - thanks you are a legend.  These knowledge base articles helped.  Full points pour toi!  


P.S This question can be closed - do you do it or me?
LVL 14

Accepted Solution

Joseph Hornsey earned 2000 total points
ID: 13446752
As far as I know, you do.

Glad to be of help.


Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question