Solved

Windows 2008 R2 Active Directory Administration

Posted on 2010-09-17
9
737 Views
Last Modified: 2012-06-21
Which group should a user belong to to be able to add/remove/update users without being an Active Directory Domain Administrator?
0
Comment
Question by:Darek_Danielewski
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 10

Assisted Solution

by:jorlando66
jorlando66 earned 20 total points
ID: 33700529
You can assign this by organizational unit by delegating control to the user. This way they cdn add/remove/update users from specific OU's and be restricted from others.  In ADUC right click the OU and select delegate control.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 30 total points
ID: 33700645
Yep - thats the way to go - you can't use a built in group - you would give them too much  - Create a new Security group for the users you want to delegate to - add their accounts to this security group.

Create an Organisational unit containing the accounts you want them to be able to control (or you can use the domain if you want them all)

Right click on the OU (or domain) and select Delegate control and select the new security group and the tasks that you want them to be able to perform.

So that they can do this from their own machines - without the need to log onto the DC - which would be bad - ass the remote server admin tools to their PCs - you can optionally also create a taskpad to make it more simple for them

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en

or

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D

0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33700836
You can also use the built in account operators group

Thanks

Mike
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 51

Expert Comment

by:Netman66
ID: 33701074
I second the Account Operators group.

0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 33701126
Third!
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33702129
You have to be careful with account operators - because they have full permissions over computer accounts as well, including domain controller accounts by default.

Built-in groups ARE too powerful, create a group and delegate all the specific permissions you need.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 33703216
I challenge you to delete a DC as Account Operator only.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 33703256
Quote:

Account Operators is a default groups located in the Builtin container. Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Therefore, the Account Operators group has significant power in the domain and we recommend that you add members to it with caution.  

End Quote.

There is a bug that I am not certain is fixed whereby a member server promoted to DC retains the Account Operator FC ACE, but if the DC is in the Domain Controllers OU, then the Account Operator can't do anything other than log in to it (and shut it down - which is bad enough).
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33703305
If you can figure out a way to elevate with just account operator rights and delete a DC then you will get a speaking spot at TEC or another conference showing how to do that.  
....and I'm not talking about if you have physical access to a DC and use those hacks...just logging in with an user in the account operators group
 
Thanks
Mike
0

Featured Post

Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question