Restricting Privileges to Administrators

Hi All,

Currently we have over 25 domain administrators in our network.  Some of them (e.g.  Service desk) have been granted this privilege for the purpose of resetting passwords, unlocking users etc.  The Network Manager claims that their access cannot be restricted and that they are planning to implement a web based solution that would provide an interface with limited menu items.  I would like to confirm with the experts here that it is not possible to create various roles for different users.

Who is Participating?

I'm afraid both you and the previous poster have been mis-informed. There is no reason why you should have users in the Help Desk as Domain Admins. That pretty much annihilates any type of security you try to implement on your network, since those users with Domain Admin privileges can log in and access pretty much anything they wanted to.

Active Directory is specifically designed so that you can elevate a certain user or group of users' privileges to give them the ability to make changes to certain users, such as resetting passwords, unlocking user accounts and so on. You can use the Delegation of Control wizard for this. On the OU(s) which the Help Desk users would need to have access to, you right-click the OU and choose 'Delegation of Control'. You can then step through the wizard and assign the appropriate permissions.

By delegating control, they can still use the usual AD Users and Computers tool to manage the users, but they don't need Domain Admin rights. They can be standard users. Plus, they don't have access to the whole domain - only the OUs you permit them to control.

Ken FayalCTOCommented:
You pretty much have the door wide open if you are a Domain Admin.  No doubt about that.  And you do need to be a domain admin in order to reset passwords and unlock users, so I don't see a way around this.
Of course you can delegate tasks in AD, especially common ones like resetting a password or nulocking an account. You can delegate permissions for every single attribute in AD, from root/site/ou down to the last object. You can even delegate permissions so that the Helpdesk can reset passwords of regular users, but only unlock an administrator account.
Helpedesk certainly doesn't need and shouldn't have domain admin permissions.
Some random links for starters:

Default security concerns in Active Directory delegation

How to Delegate Mailbox Access in Active Directory

Minimum permissions are needed for a delegated administrator to force password change at next logon procedure

How To Delegate the Unlock Account Right
Joseph DalyCommented:
Domain admins basically hold all the keys to the kingdom. This is not a good thing to have and this is the reason why microsoft came up with the delegation of control wizard. This lets you give only the permissions necessary to certain groups. Take a read here

What I would do is use DSrevoke to remove unnecessary access that users have and then redelegate control to them properly.


I did this on my domain and it worked out great, just make sure you have a backout plan which in your case would be adding users back into the domain admins group.

The syntax i used for dsrevoke was this

dsrevoke /report /domain:domain domain\username or group

it will return the report of all the access that user or group has been granted.

ACE #1
Object: DC=domain,DC=com
Security Principal: domain\user
ACE does not apply to this object
ACE inherited by all child objects of class Group
ACE #2
Object: DC=Domain,DC=com
Security Principal: domain\user
ACE inherited by all child objects

Open in new window

ISS_ExpertAuthor Commented:
Thank you all.  Appreciate it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.