Solved

Minimum rights required in Active Directory

Posted on 2009-05-14
3
594 Views
Last Modified: 2012-05-07
Hello all,

I'm trying to figure out the minimum required rights a help desk worker should have to be able to move users and create new mailboxes. Thanks!
0
Comment
Question by:hmcnasty
3 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 24387784
What other tasks would they be doing with user accounts?
There is a builtin-group called account operators (that may be to much power though)
http://technet.microsoft.com/en-us/library/cc756898.aspx
Account Operators
Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution.
We have about 20 people in our help desk.  Two of them do account maintenance and they are in this group.  
Thanks
Mike
0
 
LVL 22

Assisted Solution

by:Paka
Paka earned 250 total points
ID: 24393913
Configuring a user or helpdesk to manage user accounts and mailboxes can be done but it's a moderately difficult task.  In short, you will need to create a group such as "HelpDeskGroup" and delegate Exchange View Only Adminstrator rights to it (don't let the name concern you) using ESM.  Next, you will need to delegate the appropriate rights to that group - this is the tough part and is detailed in the link below.  Lastly, add the individual Help Desk accounts to the HelpDeskGroup.

Here's a link detailing the appropriate rights needed for mailbox delegation:
http://groups.google.com/group/microsoft.public.exchange.admin/browse_thread/thread/89170c9c159e81f3
0
 

Author Comment

by:hmcnasty
ID: 24424296
Thanks guys, this has been very helpful.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now