Group Policy Question

I need to allow helpdesk folks access to certain administrative tasks like password resets, etc., but not make them domain admins.  What's the best way to do that?
rrsarge207Asked:
Who is Participating?
 
alikaz3Commented:
Active Directory Extended Rights

Much of Active Directory security involves giving a user or group read or write access to an object, or to a specified property of that object. (For example, you can give someone the right to modify another users home phone number without giving them the right to modify any other attribute of that account.) However, there are additional rights  known as extended rights  that dont involve read/write access to individual attributes; instead, they involve carrying out specific tasks, such as changing a users password. There are 39 extended rights, including 4 that apply to user accounts. These four extended rights are shown in Table 1. A complete set of extended rights can be found on the Extended Rights Reference page.
Table 1. Extended Rights Applicable to User Accounts
Extended Right      Description
      

Change Password
{ab721a53-1e2f-11d0-9819-00aa0040529b} [Text]
      

Enables you to change the password on a user account. You must know the users current password in order to provide them with a new password. [Text]

Reset Password
{00299570-246d-11d0-a768-00aa006e0529} [Text]
      

Enables you to reset the password on a user account. You do not need to know the users current password in order to provide them with a new password. [Text]

Receive As
{ab721a56-1e2f-11d0-9819-00aa0040529b} [Text]
      

Exchange right that enables you to receive mail as a given mailbox. [Text]

Send As
{ab721a54-1e2f-11d0-9819-00aa0040529b} [Text]
      

Exchange right that enables you to send mail as the mailbox. [Text]

If you look closely at Table 1, you might have notice a few crazy-looking things like this: {ab721a53-1e2f-11d0-9819-00aa0040529b}. These are object GUIDS: globally unique identifiers. Extended rights are actually objects within Active Directory; consequently, when you grant someone the right to change a users password, you must specify the object GUID for the change password extended right in your script. But dont worry: well show you how to do that.

from:
http://www.microsoft.com/technet/scriptcenter/topics/security/exrights.mspx

I've never personally tried this, but it looks like exactly what you are looking for.
0
 
rrsarge207Author Commented:
Is scripting the only way to do this?  Seems like there should be a more direct way.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
alikaz3Commented:
I totally agree with you, there "should" be, but MS kinda put us in an all-or-nothing security situation when it comes to admin rights... There might be another way but I can't find one..
0
 
LauraEHunterMVPCommented:
> "MS kinda put us in an all-or-nothing security situation when it comes to admin rights"

Nothing could be further from the truth. Active Directory allows you to delegate permissions in an extremely granular fashion.

Create a security group containing the users to whom you want to delegate permissions, then run the Delegation of Control wizard on the OU containing the resources that you wish to delegate control over: http://www.activewin.com/win2000/step_by_step/active_directory/delegsteps.shtml
0
 
alikaz3Commented:
I have never used the delegation function before, but seems pretty straightforward using Laura's link.
0
 
rrsarge207Author Commented:
Yeah, the first guy said "I've never personally tried this".
0
All Courses

From novice to tech pro — start learning today.