Solved

Windows 2008 R2 Active Directory Administration

Posted on 2010-09-17
9
736 Views
Last Modified: 2012-06-21
Which group should a user belong to to be able to add/remove/update users without being an Active Directory Domain Administrator?
0
Comment
Question by:Darek_Danielewski
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 10

Assisted Solution

by:jorlando66
jorlando66 earned 20 total points
ID: 33700529
You can assign this by organizational unit by delegating control to the user. This way they cdn add/remove/update users from specific OU's and be restricted from others.  In ADUC right click the OU and select delegate control.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 30 total points
ID: 33700645
Yep - thats the way to go - you can't use a built in group - you would give them too much  - Create a new Security group for the users you want to delegate to - add their accounts to this security group.

Create an Organisational unit containing the accounts you want them to be able to control (or you can use the domain if you want them all)

Right click on the OU (or domain) and select Delegate control and select the new security group and the tasks that you want them to be able to perform.

So that they can do this from their own machines - without the need to log onto the DC - which would be bad - ass the remote server admin tools to their PCs - you can optionally also create a taskpad to make it more simple for them

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en

or

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D

0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33700836
You can also use the built in account operators group

Thanks

Mike
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 
LVL 51

Expert Comment

by:Netman66
ID: 33701074
I second the Account Operators group.

0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 33701126
Third!
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33702129
You have to be careful with account operators - because they have full permissions over computer accounts as well, including domain controller accounts by default.

Built-in groups ARE too powerful, create a group and delegate all the specific permissions you need.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 33703216
I challenge you to delete a DC as Account Operator only.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 33703256
Quote:

Account Operators is a default groups located in the Builtin container. Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Therefore, the Account Operators group has significant power in the domain and we recommend that you add members to it with caution.  

End Quote.

There is a bug that I am not certain is fixed whereby a member server promoted to DC retains the Account Operator FC ACE, but if the DC is in the Domain Controllers OU, then the Account Operator can't do anything other than log in to it (and shut it down - which is bad enough).
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33703305
If you can figure out a way to elevate with just account operator rights and delete a DC then you will get a speaking spot at TEC or another conference showing how to do that.  
....and I'm not talking about if you have physical access to a DC and use those hacks...just logging in with an user in the account operators group
 
Thanks
Mike
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about why it is more lucrative for an IT company to participate in government projects.
This article shows theĀ method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conneā€¦
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question