Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Group Policy Question

Posted on 2008-10-17
7
Medium Priority
?
277 Views
Last Modified: 2012-05-05
I need to allow helpdesk folks access to certain administrative tasks like password resets, etc., but not make them domain admins.  What's the best way to do that?
0
Comment
Question by:rrsarge207
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 12

Expert Comment

by:alikaz3
ID: 22742399
Active Directory Extended Rights

Much of Active Directory security involves giving a user or group read or write access to an object, or to a specified property of that object. (For example, you can give someone the right to modify another users home phone number without giving them the right to modify any other attribute of that account.) However, there are additional rights  known as extended rights  that dont involve read/write access to individual attributes; instead, they involve carrying out specific tasks, such as changing a users password. There are 39 extended rights, including 4 that apply to user accounts. These four extended rights are shown in Table 1. A complete set of extended rights can be found on the Extended Rights Reference page.
Table 1. Extended Rights Applicable to User Accounts
Extended Right      Description
      

Change Password
{ab721a53-1e2f-11d0-9819-00aa0040529b} [Text]
      

Enables you to change the password on a user account. You must know the users current password in order to provide them with a new password. [Text]

Reset Password
{00299570-246d-11d0-a768-00aa006e0529} [Text]
      

Enables you to reset the password on a user account. You do not need to know the users current password in order to provide them with a new password. [Text]

Receive As
{ab721a56-1e2f-11d0-9819-00aa0040529b} [Text]
      

Exchange right that enables you to receive mail as a given mailbox. [Text]

Send As
{ab721a54-1e2f-11d0-9819-00aa0040529b} [Text]
      

Exchange right that enables you to send mail as the mailbox. [Text]

If you look closely at Table 1, you might have notice a few crazy-looking things like this: {ab721a53-1e2f-11d0-9819-00aa0040529b}. These are object GUIDS: globally unique identifiers. Extended rights are actually objects within Active Directory; consequently, when you grant someone the right to change a users password, you must specify the object GUID for the change password extended right in your script. But dont worry: well show you how to do that.

from:
http://www.microsoft.com/technet/scriptcenter/topics/security/exrights.mspx

I've never personally tried this, but it looks like exactly what you are looking for.
0
 

Author Comment

by:rrsarge207
ID: 22742452
Is scripting the only way to do this?  Seems like there should be a more direct way.
0
 
LVL 12

Expert Comment

by:alikaz3
ID: 22742532
I totally agree with you, there "should" be, but MS kinda put us in an all-or-nothing security situation when it comes to admin rights... There might be another way but I can't find one..
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 24

Accepted Solution

by:
ryansoto earned 1000 total points
ID: 22742812
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22742827
> "MS kinda put us in an all-or-nothing security situation when it comes to admin rights"

Nothing could be further from the truth. Active Directory allows you to delegate permissions in an extremely granular fashion.

Create a security group containing the users to whom you want to delegate permissions, then run the Delegation of Control wizard on the OU containing the resources that you wish to delegate control over: http://www.activewin.com/win2000/step_by_step/active_directory/delegsteps.shtml
0
 
LVL 12

Expert Comment

by:alikaz3
ID: 22742998
I have never used the delegation function before, but seems pretty straightforward using Laura's link.
0
 

Author Comment

by:rrsarge207
ID: 22743004
Yeah, the first guy said "I've never personally tried this".
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Here's a look at newsworthy articles and community happenings during the last month.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question