Solved

Limited domain admin account?

Posted on 2010-09-03
2
391 Views
Last Modified: 2012-05-10
Hello Experts,

I'd like to create an account for a junior admin person but would only like to give him access to reset account passwords, reset account lockouts, etc...   but would not want to use a domain admin account.  What's the best method/way to provision such an account?  I don't want to give the admin too much permissions, but just enough to provide helpdesk password reset ability.
0
Comment
Question by:taki1gostek
2 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 33598201
Good move definitely don't give him domain admin rights.  You can use the delegation control wizard in ADUC to give him rights.  You can also extend the delegation control wizard
http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html
In that entry I have links to the Microsoft delegation docs.
If the junior admin ever control all aspects of accounts you can also add him to "account operators"...note account operators can't change/modify the DA group..that is a good thing
Thanks
Mike
0
 
LVL 2

Author Closing Comment

by:taki1gostek
ID: 33599057
Awesome, just what I was after.
0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Event ID: 7023 / Source: Service Control Manager 4 51
Trasfering FSMO roles 8 77
active directory 3 20
What is this Task? 4 40
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now