Solved

Windows 2000 AD Group Delegration Help

Posted on 2009-04-02
3
168 Views
Last Modified: 2012-05-06
Right now I'm running a winodws 2000 domain. I want to give my four help desk users the ability to do the following ONLY
-Able to add / remove a pc to the domain.
-reset user's password. but cannot reset domain admin or service account password
-is a member of the local admin's group on all workstation and not on servers!!!!!!!!!

Any thoughts?
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 24054052
For the first two you can use the delegation control wizard and give those rights to the help desk group (place the users in a group)  -- see screen shot
For the admin group task I's use restricted groups.  Florian has a great blog on the subject here
http://www.frickelsoft.net/blog/?p=13
One thing to note, with restricted groups you can either add to what is there or wipe out what is there and add new groups.
For this you just want to add the help desk group so just remember that part.  I'd test on a few machines first so you get a feel for it.   Then link the policy to the OU where your workstations are located.
Thanks
Mike

Delegation-Wizard.jpg
0
 
LVL 20

Author Comment

by:compdigit44
ID: 24055388
DO you have any suggestions on using the Restricted groups policy...Here is a question what if a user is has local admin rights on there specific workstation. I don't want this policy to wipe this out!!!!!! Also I was hope to place this policy at the root of my domain since I have multile OU for multiple different sites..
 yet I don't want my servers to be affected...

please help
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 250 total points
ID: 24056073
Regarding the Restricted groups policy, everything you need to know how to create and use the GPO are clearly explained in the link provided above from Mike from above. As Mike has suggested, the best way is to test it out. Like create an test OU, place a workstation in the OU then create the GPO for the group you want to add and link the GPO to the OU. This way you can verify if the group you added is in the Administrators group of the workstation in that OU.

Regarding linking the GPO to the domain, that will create more works for you expecially I'm sure there are a lot other machines such as servers that you don't want the GPO to apply to. Also, if you link in the domain level, you have to be careful each time you create new OU that may have machine that you do not want the GPO to apply to, then you end up doing Block Inheritance etc, high maintenance.

What we do is we create a root OU for all workstations and one OU for all servers. Within each OU, we organize the workstation by location. For servers, you may want to organize by function like apps, file, print, database etc., as these functions are more specific and sensistive to servers. Where workstations are more sensitive to location as it will be used by the local users etc. You may consider reorganize your systems this way to eliminate admnistrative overhead.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question