Go Premium for a chance to win a PS4. Enter to Win


Group Policy Question

Posted on 2008-10-17
Medium Priority
Last Modified: 2012-05-05
I need to allow helpdesk folks access to certain administrative tasks like password resets, etc., but not make them domain admins.  What's the best way to do that?
Question by:rrsarge207
LVL 12

Expert Comment

ID: 22742399
Active Directory Extended Rights

Much of Active Directory security involves giving a user or group read or write access to an object, or to a specified property of that object. (For example, you can give someone the right to modify another users home phone number without giving them the right to modify any other attribute of that account.) However, there are additional rights  known as extended rights  that dont involve read/write access to individual attributes; instead, they involve carrying out specific tasks, such as changing a users password. There are 39 extended rights, including 4 that apply to user accounts. These four extended rights are shown in Table 1. A complete set of extended rights can be found on the Extended Rights Reference page.
Table 1. Extended Rights Applicable to User Accounts
Extended Right      Description

Change Password
{ab721a53-1e2f-11d0-9819-00aa0040529b} [Text]

Enables you to change the password on a user account. You must know the users current password in order to provide them with a new password. [Text]

Reset Password
{00299570-246d-11d0-a768-00aa006e0529} [Text]

Enables you to reset the password on a user account. You do not need to know the users current password in order to provide them with a new password. [Text]

Receive As
{ab721a56-1e2f-11d0-9819-00aa0040529b} [Text]

Exchange right that enables you to receive mail as a given mailbox. [Text]

Send As
{ab721a54-1e2f-11d0-9819-00aa0040529b} [Text]

Exchange right that enables you to send mail as the mailbox. [Text]

If you look closely at Table 1, you might have notice a few crazy-looking things like this: {ab721a53-1e2f-11d0-9819-00aa0040529b}. These are object GUIDS: globally unique identifiers. Extended rights are actually objects within Active Directory; consequently, when you grant someone the right to change a users password, you must specify the object GUID for the change password extended right in your script. But dont worry: well show you how to do that.


I've never personally tried this, but it looks like exactly what you are looking for.

Author Comment

ID: 22742452
Is scripting the only way to do this?  Seems like there should be a more direct way.
LVL 12

Expert Comment

ID: 22742532
I totally agree with you, there "should" be, but MS kinda put us in an all-or-nothing security situation when it comes to admin rights... There might be another way but I can't find one..
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

LVL 24

Accepted Solution

ryansoto earned 1000 total points
ID: 22742812
LVL 30

Expert Comment

ID: 22742827
> "MS kinda put us in an all-or-nothing security situation when it comes to admin rights"

Nothing could be further from the truth. Active Directory allows you to delegate permissions in an extremely granular fashion.

Create a security group containing the users to whom you want to delegate permissions, then run the Delegation of Control wizard on the OU containing the resources that you wish to delegate control over: http://www.activewin.com/win2000/step_by_step/active_directory/delegsteps.shtml
LVL 12

Expert Comment

ID: 22742998
I have never used the delegation function before, but seems pretty straightforward using Laura's link.

Author Comment

ID: 22743004
Yeah, the first guy said "I've never personally tried this".

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question