?
Solved

Windows 2008 R2 Active Directory Administration

Posted on 2010-09-17
9
Medium Priority
?
744 Views
Last Modified: 2012-06-21
Which group should a user belong to to be able to add/remove/update users without being an Active Directory Domain Administrator?
0
Comment
Question by:Darek_Danielewski
9 Comments
 
LVL 10

Assisted Solution

by:jorlando66
jorlando66 earned 80 total points
ID: 33700529
You can assign this by organizational unit by delegating control to the user. This way they cdn add/remove/update users from specific OU's and be restricted from others.  In ADUC right click the OU and select delegate control.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 120 total points
ID: 33700645
Yep - thats the way to go - you can't use a built in group - you would give them too much  - Create a new Security group for the users you want to delegate to - add their accounts to this security group.

Create an Organisational unit containing the accounts you want them to be able to control (or you can use the domain if you want them all)

Right click on the OU (or domain) and select Delegate control and select the new security group and the tasks that you want them to be able to perform.

So that they can do this from their own machines - without the need to log onto the DC - which would be bad - ass the remote server admin tools to their PCs - you can optionally also create a taskpad to make it more simple for them

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en

or

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D

0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33700836
You can also use the built in account operators group

Thanks

Mike
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 51

Expert Comment

by:Netman66
ID: 33701074
I second the Account Operators group.

0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 33701126
Third!
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33702129
You have to be careful with account operators - because they have full permissions over computer accounts as well, including domain controller accounts by default.

Built-in groups ARE too powerful, create a group and delegate all the specific permissions you need.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 33703216
I challenge you to delete a DC as Account Operator only.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 33703256
Quote:

Account Operators is a default groups located in the Builtin container. Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Therefore, the Account Operators group has significant power in the domain and we recommend that you add members to it with caution.  

End Quote.

There is a bug that I am not certain is fixed whereby a member server promoted to DC retains the Account Operator FC ACE, but if the DC is in the Domain Controllers OU, then the Account Operator can't do anything other than log in to it (and shut it down - which is bad enough).
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33703305
If you can figure out a way to elevate with just account operator rights and delete a DC then you will get a speaking spot at TEC or another conference showing how to do that.  
....and I'm not talking about if you have physical access to a DC and use those hacks...just logging in with an user in the account operators group
 
Thanks
Mike
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question