Restricting Privileges to Administrators

Posted on 2009-02-19
Last Modified: 2013-11-05
Hi All,

Currently we have over 25 domain administrators in our network.  Some of them (e.g.  Service desk) have been granted this privilege for the purpose of resetting passwords, unlocking users etc.  The Network Manager claims that their access cannot be restricted and that they are planning to implement a web based solution that would provide an interface with limited menu items.  I would like to confirm with the experts here that it is not possible to create various roles for different users.

Question by:ISS_Expert
    LVL 9

    Expert Comment

    by:Ken Fayal
    You pretty much have the door wide open if you are a Domain Admin.  No doubt about that.  And you do need to be a domain admin in order to reset passwords and unlock users, so I don't see a way around this.
    LVL 58

    Accepted Solution


    I'm afraid both you and the previous poster have been mis-informed. There is no reason why you should have users in the Help Desk as Domain Admins. That pretty much annihilates any type of security you try to implement on your network, since those users with Domain Admin privileges can log in and access pretty much anything they wanted to.

    Active Directory is specifically designed so that you can elevate a certain user or group of users' privileges to give them the ability to make changes to certain users, such as resetting passwords, unlocking user accounts and so on. You can use the Delegation of Control wizard for this. On the OU(s) which the Help Desk users would need to have access to, you right-click the OU and choose 'Delegation of Control'. You can then step through the wizard and assign the appropriate permissions.

    By delegating control, they can still use the usual AD Users and Computers tool to manage the users, but they don't need Domain Admin rights. They can be standard users. Plus, they don't have access to the whole domain - only the OUs you permit them to control.

    LVL 82

    Assisted Solution

    Of course you can delegate tasks in AD, especially common ones like resetting a password or nulocking an account. You can delegate permissions for every single attribute in AD, from root/site/ou down to the last object. You can even delegate permissions so that the Helpdesk can reset passwords of regular users, but only unlock an administrator account.
    Helpedesk certainly doesn't need and shouldn't have domain admin permissions.
    Some random links for starters:

    Default security concerns in Active Directory delegation

    How to Delegate Mailbox Access in Active Directory

    Minimum permissions are needed for a delegated administrator to force password change at next logon procedure

    How To Delegate the Unlock Account Right
    LVL 35

    Assisted Solution

    by:Joseph Daly
    Domain admins basically hold all the keys to the kingdom. This is not a good thing to have and this is the reason why microsoft came up with the delegation of control wizard. This lets you give only the permissions necessary to certain groups. Take a read here

    What I would do is use DSrevoke to remove unnecessary access that users have and then redelegate control to them properly.


    I did this on my domain and it worked out great, just make sure you have a backout plan which in your case would be adding users back into the domain admins group.

    The syntax i used for dsrevoke was this

    dsrevoke /report /domain:domain domain\username or group

    it will return the report of all the access that user or group has been granted.

    ACE #1
    Object: DC=domain,DC=com
    Security Principal: domain\user
    ACE Type: ALLOW
    ACE does not apply to this object
    ACE inherited by all child objects of class Group
    ACE #2
    Object: DC=Domain,DC=com
    Security Principal: domain\user
    ACE Type: ALLOW
    ACE inherited by all child objects

    Open in new window

    LVL 1

    Author Closing Comment

    Thank you all.  Appreciate it.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    My last post dealt with using group policy preferences to set file associations, a very handy usage for a GPP. Today I am going to share another cool GPP trick, this may be a specific scenario but I run into these situations frequently in my activit…
    This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now