[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Limited domain admin account?

Posted on 2010-09-03
2
Medium Priority
?
411 Views
Last Modified: 2012-05-10
Hello Experts,

I'd like to create an account for a junior admin person but would only like to give him access to reset account passwords, reset account lockouts, etc...   but would not want to use a domain admin account.  What's the best method/way to provision such an account?  I don't want to give the admin too much permissions, but just enough to provide helpdesk password reset ability.
0
Comment
Question by:taki1gostek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 33598201
Good move definitely don't give him domain admin rights.  You can use the delegation control wizard in ADUC to give him rights.  You can also extend the delegation control wizard
http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html
In that entry I have links to the Microsoft delegation docs.
If the junior admin ever control all aspects of accounts you can also add him to "account operators"...note account operators can't change/modify the DA group..that is a good thing
Thanks
Mike
0
 
LVL 2

Author Closing Comment

by:taki1gostek
ID: 33599057
Awesome, just what I was after.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question