Solved

Group Policy Question

Posted on 2008-10-17
7
268 Views
Last Modified: 2012-05-05
I need to allow helpdesk folks access to certain administrative tasks like password resets, etc., but not make them domain admins.  What's the best way to do that?
0
Comment
Question by:rrsarge207
7 Comments
 
LVL 12

Expert Comment

by:alikaz3
Comment Utility
Active Directory Extended Rights

Much of Active Directory security involves giving a user or group read or write access to an object, or to a specified property of that object. (For example, you can give someone the right to modify another users home phone number without giving them the right to modify any other attribute of that account.) However, there are additional rights  known as extended rights  that dont involve read/write access to individual attributes; instead, they involve carrying out specific tasks, such as changing a users password. There are 39 extended rights, including 4 that apply to user accounts. These four extended rights are shown in Table 1. A complete set of extended rights can be found on the Extended Rights Reference page.
Table 1. Extended Rights Applicable to User Accounts
Extended Right      Description
      

Change Password
{ab721a53-1e2f-11d0-9819-00aa0040529b} [Text]
      

Enables you to change the password on a user account. You must know the users current password in order to provide them with a new password. [Text]

Reset Password
{00299570-246d-11d0-a768-00aa006e0529} [Text]
      

Enables you to reset the password on a user account. You do not need to know the users current password in order to provide them with a new password. [Text]

Receive As
{ab721a56-1e2f-11d0-9819-00aa0040529b} [Text]
      

Exchange right that enables you to receive mail as a given mailbox. [Text]

Send As
{ab721a54-1e2f-11d0-9819-00aa0040529b} [Text]
      

Exchange right that enables you to send mail as the mailbox. [Text]

If you look closely at Table 1, you might have notice a few crazy-looking things like this: {ab721a53-1e2f-11d0-9819-00aa0040529b}. These are object GUIDS: globally unique identifiers. Extended rights are actually objects within Active Directory; consequently, when you grant someone the right to change a users password, you must specify the object GUID for the change password extended right in your script. But dont worry: well show you how to do that.

from:
http://www.microsoft.com/technet/scriptcenter/topics/security/exrights.mspx

I've never personally tried this, but it looks like exactly what you are looking for.
0
 

Author Comment

by:rrsarge207
Comment Utility
Is scripting the only way to do this?  Seems like there should be a more direct way.
0
 
LVL 12

Expert Comment

by:alikaz3
Comment Utility
I totally agree with you, there "should" be, but MS kinda put us in an all-or-nothing security situation when it comes to admin rights... There might be another way but I can't find one..
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 24

Accepted Solution

by:
ryansoto earned 250 total points
Comment Utility
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
Comment Utility
> "MS kinda put us in an all-or-nothing security situation when it comes to admin rights"

Nothing could be further from the truth. Active Directory allows you to delegate permissions in an extremely granular fashion.

Create a security group containing the users to whom you want to delegate permissions, then run the Delegation of Control wizard on the OU containing the resources that you wish to delegate control over: http://www.activewin.com/win2000/step_by_step/active_directory/delegsteps.shtml
0
 
LVL 12

Expert Comment

by:alikaz3
Comment Utility
I have never used the delegation function before, but seems pretty straightforward using Laura's link.
0
 

Author Comment

by:rrsarge207
Comment Utility
Yeah, the first guy said "I've never personally tried this".
0

Featured Post

Want to promote your upcoming event?

Is your company attending an event or exhibiting at a trade show soon? Are you speaking at a conference? Spread the word by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now