In Active Directory 2003 Need to Assign Role based access to certin users.

Dlala
Dlala used Ask the Experts™
on
Hi,

I am trying to figure it out how to assign a user with extra privileges let say unlocking/locking  other user account without assigning them Domain admin rights. Is it possible in AD 2003, Kindly advice.

Regards
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Try delgating controls... You can customize the permissions according to your requirements..

Here is very good articles to start up with...

http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html

http://www.microsoft.com/DownLoads/details.aspx?familyid=631747A3-79E1-48FA-9730-DAE7C0A1D6D3&displaylang=en


Top Expert 2013
Commented:
You can also extend the delegation control wizard to give you a lot more options if you prefer that method.  More on that on my blog here
http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html
Thanks
Mike
Premkumar YogeswaranSr. Analyst - System Administrator

Commented:
Hi,
For delegation you can use this link for step by step guidence for various Delegation.
http://www.activewin.com/win2000/step_by_step/active_directory/delegsteps.shtml
http://www.winnetmag.com/ActiveDirectory/Article/ArticleID/40820/ActiveDirectory_40820.html

For the minimized view in the AD. Use the Task Pad view for the Person to have minimal view in the AD Users and computers.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Premkumar YogeswaranSr. Analyst - System Administrator

Commented:

Author

Commented:
Murali,Mike and Prem this is fine it tell you exactly how to delegate control but what I am looking is what is the option I need to check for lock/unlock user account in delegate control.

Regards
Premkumar YogeswaranSr. Analyst - System Administrator

Commented:
Hi,
This link can help you...!
http://support.microsoft.com/kb/294952

Author

Commented:
HI Prem,

As Instructed on the solution, I did the same but user still not able to lock/unlock account. Is there something I need to referesh.

Regards
Premkumar YogeswaranSr. Analyst - System Administrator

Commented:
Hi Dlala,
Can you try the same steps in delegating the same in Domain level..!

Author

Commented:
I did, but still user is not able to lock/unlock account.
Premkumar YogeswaranSr. Analyst - System Administrator

Commented:
Can you try this...!

To delegate the right to unlock locked user accounts to a user or group in Active Directory, you must first make the right visible.

The %Systemroot%\System32\Dssec.dat file contains filters that control whether a right is revealed, and can be written. Open Dssec.dat in Notepad and find [User]. Within [User], the lockoutTime entry is listed alphabetically. Change the mask from 7 to 0, yielding lockoutTime=0.

NOTE: The mask values appears to be:

0 - Read and Write of property unfiltered
1 - Read of property filtered
2 - Write of property filtered
7 - Filter out property.
Save the change.
To delegate the right:

1. Right-click the domain in Active Directory Users and Computers and press Delegate Control from the context menu.

2. Press Next on the Welcome.... dialog.

3. Press Add and select the user or group.

4. Press OK and Next.

5. Select Create a custom task to delegate and press Next.

6. Select Only the following objects in the folder:. In the list, press User objects and Next.

7. Clear the General selection and select the Property-specific box.

8. Select both the Read lockoutTime and Write lockoutTime boxes and press Next.

9. Press Finish.

NOTE: These rights are domain specific and can NOT be assigned to an OU.

Author

Commented:
Prem above solutions is for windows 2000 I am running AD 2003. I tried at domain level delegration but its not refelecting on user privilleges.

Regards

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial