Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 418
  • Last Modified:

Limited domain admin account?

Hello Experts,

I'd like to create an account for a junior admin person but would only like to give him access to reset account passwords, reset account lockouts, etc...   but would not want to use a domain admin account.  What's the best method/way to provision such an account?  I don't want to give the admin too much permissions, but just enough to provide helpdesk password reset ability.
0
taki1gostek
Asked:
taki1gostek
1 Solution
 
Mike KlineCommented:
Good move definitely don't give him domain admin rights.  You can use the delegation control wizard in ADUC to give him rights.  You can also extend the delegation control wizard
http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html
In that entry I have links to the Microsoft delegation docs.
If the junior admin ever control all aspects of accounts you can also add him to "account operators"...note account operators can't change/modify the DA group..that is a good thing
Thanks
Mike
0
 
taki1gostekAuthor Commented:
Awesome, just what I was after.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now