[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Restricted AD user management from a PC for a specific OU

Posted on 2007-10-07
5
Medium Priority
?
450 Views
Last Modified: 2008-05-31
In a school situation - we have just upgraded our AD Servers to Server 2003 Enterprise R2 from Server 2003 Std.

I have been told with R2 it is possible to allocate the ability to certain users to change passwords of others for a specific OU.
In this case we want 2 staff members who we DON'T want to be Domain Admins to be able to change only student passwords. All students are in their own security & distribution group and in their own OU.

So far I haven't found any info on how to do it yet..
0
Comment
Question by:kiwistag
  • 2
  • 2
5 Comments
 
LVL 5

Expert Comment

by:cpottercpotter
ID: 20031148
0
 
LVL 6

Author Comment

by:kiwistag
ID: 20031165
Thanks - next step: is there a way for the staff to do it from their PC (via a sanp in or equivalent) rather than being allowed to log into the server?
0
 
LVL 5

Expert Comment

by:cpottercpotter
ID: 20031181
You would just install the windows 2003 sp1 admin tools on there machines.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 200 total points
ID: 20031268
You have always been able to do this - R2 is not specifically needed.

Step 1. Right click on the OU and Use the deleagtion o control Wizard to delegate authority to chage passwords to a user/group.

Step 2. Install the admin tools on the users machine (can be XP or 2003) - The adminpak.msi installer in in %windir$\System32 on the server. (or download from https://www.microsoft.com/downloads/details.aspx?familyid=C16AE515-C8F4-47EF-A1E4-A8DCBACFF8E3&displaylang=en)

Step 3. To make life easier - create a taskpad for the user that shows only the tasks they can perform an provides a easy-to-use interface. see http://www.petri.co.il/create_taskpads_for_ad_operations.htm

Note: The admin tools need to be installed to run the taskpad but you can hide the tools to avoid confusing users
Also: Even if users can see the tools they can use them if you have not delegated tasks to them)

0
 
LVL 6

Author Comment

by:kiwistag
ID: 20032131
Another snag - it seems if I follow the Petri instructions that it will allow mw to modify the sub contents of the New Taskpad view but not the primary contents.
For current managements sake (for example) we have a Sub-OU called 2007. The users running the MMC console can reset the passwords users within the subcontainers but not within the primary OU container.

So - clicking on domain\Pupils\Username and choosing reset password doesn't work however clicking on \domain\Pupils\2007\Username does.

HOWEVER running change password on a user from the Active Directory Users and Computers SnapIn does with the same Delegated Control user....
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question