Solved

What rights do student helpdesk staff need to administer user objects in AD?

Posted on 2006-07-10
1
231 Views
Last Modified: 2013-12-04
I am the administrator for a high school, and beginning this year, I will have several students working with my manning a helpdesk.  We run a Windows 2003 network.

I would like them to be able to reset passwords, add/remove group assignments, modify user object properties (name, etc), and printer assignments.

Does anyone know of any built-in security groups of policies that will allow this to happen easily?

Thank you!
Scott Sandstrom
0
Comment
Question by:scsandstrom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 19

Accepted Solution

by:
CoccoBill earned 50 total points
ID: 17080253
Create new domain local security group and delegate it the desired permissions, but make sure you ONLY grant the permission to an OU containing regular user accounts, NOT admin/service accounts or groups. This can be easily done, but the printer assignments is a bit more complicated. There is the built-in group Printer Admins, but that gives them also the permission to modify print queues and printer drivers. If you just want them to be able to reset printer queues and delete pending jobs, publish all your network printers in the AD, do a search for all printer objects and select them all, and you can give them just the limited rights through right click->properties->security.

Step-by-Step Guide to Using the Delegation of Control Wizard
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx#ELD

Securing Active Directory Administrative Groups and Accounts
http://www.microsoft.com/technet/security/topics/networksecurity/sec_ad_admin_groups.mspx
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question