Solved

What rights do student helpdesk staff need to administer user objects in AD?

Posted on 2006-07-10
1
228 Views
Last Modified: 2013-12-04
I am the administrator for a high school, and beginning this year, I will have several students working with my manning a helpdesk.  We run a Windows 2003 network.

I would like them to be able to reset passwords, add/remove group assignments, modify user object properties (name, etc), and printer assignments.

Does anyone know of any built-in security groups of policies that will allow this to happen easily?

Thank you!
Scott Sandstrom
0
Comment
Question by:scsandstrom
1 Comment
 
LVL 19

Accepted Solution

by:
CoccoBill earned 50 total points
ID: 17080253
Create new domain local security group and delegate it the desired permissions, but make sure you ONLY grant the permission to an OU containing regular user accounts, NOT admin/service accounts or groups. This can be easily done, but the printer assignments is a bit more complicated. There is the built-in group Printer Admins, but that gives them also the permission to modify print queues and printer drivers. If you just want them to be able to reset printer queues and delete pending jobs, publish all your network printers in the AD, do a search for all printer objects and select them all, and you can give them just the limited rights through right click->properties->security.

Step-by-Step Guide to Using the Delegation of Control Wizard
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx#ELD

Securing Active Directory Administrative Groups and Accounts
http://www.microsoft.com/technet/security/topics/networksecurity/sec_ad_admin_groups.mspx
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PGP key : industry standard 2 71
Excel files protected mode 4 48
Read-only access for auditors 5 75
desktop security assessment (windows devices). 2 27
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question