Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Active Directory delegation

Posted on 2005-03-01
Medium Priority
Last Modified: 2010-03-18
Hi there

We have recently upgraded from NT4 to 2003.  I am midst sorting out Active Directory delegation stuff.  I have two guys on the helpdesk who need to do all the usual things i.e create & delete users, groups, contacts, shares, give 'send as' rights plus mailbox rights, change passwords and unlock accounts. They currently belong to a security group called 'SYDIT'.  I have been using the delegate wizard on each OU and giving 'SYDIT' specific rights but it seems quite fiddley.  So far they can do most stuff but dont seem to be able to add mailbox permissions or unlock accounts.  Somebody else initally setup the security on the OU's on an 'as per request' basis so security on each OU is entirely different.  Making my life hell!  Basically I want them to have full rights to create, amend and manage stuff without being able to do anything too nasty such as delete or move an OU.  Myself and my boss are members of the Domain Admins group so we have full rights.  

Advice and help greatly appreciated!

Question by:byrca
  • 3
  • 2
LVL 15

Expert Comment

by:Joseph Hornsey
ID: 13436594

Here's what I recommend:

1. To give them all the add/delete users and groups stuff, make them 'Account Operators'.  This will let them create users, groups and contacts as well as unlock accounts and change passwords.
2. To allow them to create shares, you'll have to delegate that using the wizard.  Otherwise, make them 'Server Operators'.  As far as I know, though, they'll be able to delete OUs if they're a member of that group.  It also allows them to do tons of other things, so make sure you want them to have those types of rights before you do this.
3. For Exchange 2000/2003, go to the Organization level and delegate control to them as Exchange Administrators.  You might want to do a little research to find out what all this will allow (because it will do more than just give them the ability to give 'send as' rights  and create mailboxes) and if it's too liberal then you'll have to manually delegate there as well.  This, however, gets really nasty.  If you're running Exchange 5.5 go to the Organization, Site and Site Configuration containers and give them Exchange Admin role on each.

Hope that helps.


Author Comment

ID: 13436734
Thank you! thats a great help. Ive added them to the account operators group and tested lockouts etc - seems ok.  Is there a list of rights that this account operators group includes? Also, for exchange can somebody pls tell me exactly what the 'exchange administrators' gives rights to?

Cheers ears

Author Comment

ID: 13445167

Fab - thanks you are a legend.  These knowledge base articles helped.  Full points pour toi!  


P.S This question can be closed - do you do it or me?
LVL 15

Accepted Solution

Joseph Hornsey earned 2000 total points
ID: 13446752
As far as I know, you do.

Glad to be of help.


Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever set up your wireless router at home or in the office to find that you little pop-up bubble in the bottom right-hand corner of Windows read "IP Conflict - One of more computers on the network have been assigned the following IP address"…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question