[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Restricting Privileges to Administrators

Posted on 2009-02-19
Medium Priority
Last Modified: 2013-11-05
Hi All,

Currently we have over 25 domain administrators in our network.  Some of them (e.g.  Service desk) have been granted this privilege for the purpose of resetting passwords, unlocking users etc.  The Network Manager claims that their access cannot be restricted and that they are planning to implement a web based solution that would provide an interface with limited menu items.  I would like to confirm with the experts here that it is not possible to create various roles for different users.

Question by:ISS_Expert

Expert Comment

by:Ken Fayal
ID: 23680134
You pretty much have the door wide open if you are a Domain Admin.  No doubt about that.  And you do need to be a domain admin in order to reset passwords and unlock users, so I don't see a way around this.
LVL 58

Accepted Solution

tigermatt earned 800 total points
ID: 23680173

I'm afraid both you and the previous poster have been mis-informed. There is no reason why you should have users in the Help Desk as Domain Admins. That pretty much annihilates any type of security you try to implement on your network, since those users with Domain Admin privileges can log in and access pretty much anything they wanted to.

Active Directory is specifically designed so that you can elevate a certain user or group of users' privileges to give them the ability to make changes to certain users, such as resetting passwords, unlocking user accounts and so on. You can use the Delegation of Control wizard for this. On the OU(s) which the Help Desk users would need to have access to, you right-click the OU and choose 'Delegation of Control'. You can then step through the wizard and assign the appropriate permissions.

By delegating control, they can still use the usual AD Users and Computers tool to manage the users, but they don't need Domain Admin rights. They can be standard users. Plus, they don't have access to the whole domain - only the OUs you permit them to control.

LVL 85

Assisted Solution

oBdA earned 600 total points
ID: 23680187
Of course you can delegate tasks in AD, especially common ones like resetting a password or nulocking an account. You can delegate permissions for every single attribute in AD, from root/site/ou down to the last object. You can even delegate permissions so that the Helpdesk can reset passwords of regular users, but only unlock an administrator account.
Helpedesk certainly doesn't need and shouldn't have domain admin permissions.
Some random links for starters:

Default security concerns in Active Directory delegation

How to Delegate Mailbox Access in Active Directory

Minimum permissions are needed for a delegated administrator to force password change at next logon procedure

How To Delegate the Unlock Account Right
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 600 total points
ID: 23680189
Domain admins basically hold all the keys to the kingdom. This is not a good thing to have and this is the reason why microsoft came up with the delegation of control wizard. This lets you give only the permissions necessary to certain groups. Take a read here


What I would do is use DSrevoke to remove unnecessary access that users have and then redelegate control to them properly.

DSrevoke: http://www.microsoft.com/downloads/details.aspx?familyid=77744807-c403-4bda-b0e4-c2093b8d6383&displaylang=en

I did this on my domain and it worked out great, just make sure you have a backout plan which in your case would be adding users back into the domain admins group.

The syntax i used for dsrevoke was this

dsrevoke /report /domain:domain domain\username or group

it will return the report of all the access that user or group has been granted.

ACE #1
Object: DC=domain,DC=com
Security Principal: domain\user
ACE does not apply to this object
ACE inherited by all child objects of class Group
ACE #2
Object: DC=Domain,DC=com
Security Principal: domain\user
ACE inherited by all child objects

Open in new window


Author Closing Comment

ID: 31548706
Thank you all.  Appreciate it.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question