?
Solved

What rights do student helpdesk staff need to administer user objects in AD?

Posted on 2006-07-10
1
Medium Priority
?
236 Views
Last Modified: 2013-12-04
I am the administrator for a high school, and beginning this year, I will have several students working with my manning a helpdesk.  We run a Windows 2003 network.

I would like them to be able to reset passwords, add/remove group assignments, modify user object properties (name, etc), and printer assignments.

Does anyone know of any built-in security groups of policies that will allow this to happen easily?

Thank you!
Scott Sandstrom
0
Comment
Question by:scsandstrom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 19

Accepted Solution

by:
CoccoBill earned 200 total points
ID: 17080253
Create new domain local security group and delegate it the desired permissions, but make sure you ONLY grant the permission to an OU containing regular user accounts, NOT admin/service accounts or groups. This can be easily done, but the printer assignments is a bit more complicated. There is the built-in group Printer Admins, but that gives them also the permission to modify print queues and printer drivers. If you just want them to be able to reset printer queues and delete pending jobs, publish all your network printers in the AD, do a search for all printer objects and select them all, and you can give them just the limited rights through right click->properties->security.

Step-by-Step Guide to Using the Delegation of Control Wizard
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx#ELD

Securing Active Directory Administrative Groups and Accounts
http://www.microsoft.com/technet/security/topics/networksecurity/sec_ad_admin_groups.mspx
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month11 days, 8 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question