Group Policy Question

I need to allow helpdesk folks access to certain administrative tasks like password resets, etc., but not make them domain admins.  What's the best way to do that?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Active Directory Extended Rights

Much of Active Directory security involves giving a user or group read or write access to an object, or to a specified property of that object. (For example, you can give someone the right to modify another users home phone number without giving them the right to modify any other attribute of that account.) However, there are additional rights  known as extended rights  that dont involve read/write access to individual attributes; instead, they involve carrying out specific tasks, such as changing a users password. There are 39 extended rights, including 4 that apply to user accounts. These four extended rights are shown in Table 1. A complete set of extended rights can be found on the Extended Rights Reference page.
Table 1. Extended Rights Applicable to User Accounts
Extended Right      Description

Change Password
{ab721a53-1e2f-11d0-9819-00aa0040529b} [Text]

Enables you to change the password on a user account. You must know the users current password in order to provide them with a new password. [Text]

Reset Password
{00299570-246d-11d0-a768-00aa006e0529} [Text]

Enables you to reset the password on a user account. You do not need to know the users current password in order to provide them with a new password. [Text]

Receive As
{ab721a56-1e2f-11d0-9819-00aa0040529b} [Text]

Exchange right that enables you to receive mail as a given mailbox. [Text]

Send As
{ab721a54-1e2f-11d0-9819-00aa0040529b} [Text]

Exchange right that enables you to send mail as the mailbox. [Text]

If you look closely at Table 1, you might have notice a few crazy-looking things like this: {ab721a53-1e2f-11d0-9819-00aa0040529b}. These are object GUIDS: globally unique identifiers. Extended rights are actually objects within Active Directory; consequently, when you grant someone the right to change a users password, you must specify the object GUID for the change password extended right in your script. But dont worry: well show you how to do that.


I've never personally tried this, but it looks like exactly what you are looking for.
rrsarge207Author Commented:
Is scripting the only way to do this?  Seems like there should be a more direct way.
I totally agree with you, there "should" be, but MS kinda put us in an all-or-nothing security situation when it comes to admin rights... There might be another way but I can't find one..
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
> "MS kinda put us in an all-or-nothing security situation when it comes to admin rights"

Nothing could be further from the truth. Active Directory allows you to delegate permissions in an extremely granular fashion.

Create a security group containing the users to whom you want to delegate permissions, then run the Delegation of Control wizard on the OU containing the resources that you wish to delegate control over:
I have never used the delegation function before, but seems pretty straightforward using Laura's link.
rrsarge207Author Commented:
Yeah, the first guy said "I've never personally tried this".
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.