?
Solved

Windows 2003 AD delegation to add new users

Posted on 2007-04-04
7
Medium Priority
?
343 Views
Last Modified: 2010-04-20
Our company has grown to a point we would like to use the ability to delegate someone to add users as well as computers. I ran the delegation wizard, and did a custom selection. When this user logs on, the only options in AD to add are users and computers. Whenever his account creates a new user, in the final step the message "The password for <username> can not be set due to insufficient privleges. Windows will attempt to disable this account." The account then shows up as disabled. Anybody have an idea of what I am missing?
0
Comment
Question by:Rodney Barnhardt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18853384
Off the top of my head, I'd say to run the Delegation Wizard again and grant that same group the ability to reset the user's password.

If that doesn't work, please clarify: what specifically did you delegate in the Delegation Wizard when you selected the custom task option?

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 
LVL 13

Expert Comment

by:strongline
ID: 18853387
why not use the pre-defined "create...manager user account"?

The thing you missed should be "reset password'
0
 
LVL 32

Author Comment

by:Rodney Barnhardt
ID: 18857188
I can not find a "reset password". Here is what I am doing:
1. Right clicking on the domain and chosing delegate control
2. Adding the user
3. Selecting "Create Custom Tasks"
4. Selecting "Only allow the following"
5. Selecting "User Objects" and "Computer Objects" and checking both the create and delete boxes on the bottom.
6. Checking all permissions except full control and allowing the wizard to complete.
I scrolled up and down all screens today, and did not see a "reset password" option.
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 2000 total points
ID: 18857206
"Create, Delete and Manage user accounts" and "Reset user passwords and force password change at next logon" are both pre-configured delegations in the wizard.  The following URL will walk you through the steps to delegate one or both of these tasks: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx#ELD
0
 
LVL 13

Expert Comment

by:strongline
ID: 18858460
I guess you misunderstood something here. For user creation, you can use pre-defined tasks in delegation wizard; for computer joining into domain, you define "computer configuration\windows settings\security settings\local policies\user rights assignment\add workstation to domain" in default domain policy. By default everyone can add computer into domain.
0
 
LVL 32

Author Comment

by:Rodney Barnhardt
ID: 18858827
Thank you, that link almost has me there since the user can create the account now. The only other issue is since we run AutoCAD, the users need to be in the administrators group on the local machine. While this person can create the account now, there is still an "access denied" when trying to add the user to the administrators local computer group. I have it where they can join the computer to the domain, they can not modify the local administrators account. I looked through the options and tried a few on my test bed, but did not have any luck.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18858915
The user who is creating the account will need to be a local admin on the target workstation.  Best way to do this would be to add your HelpDesk group to the Administrators group using the Restricted Groups function in Group Policy.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question