Solved

Windows 2008 R2 Active Directory Administration

Posted on 2010-09-17
9
735 Views
Last Modified: 2012-06-21
Which group should a user belong to to be able to add/remove/update users without being an Active Directory Domain Administrator?
0
Comment
Question by:Darek_Danielewski
9 Comments
 
LVL 10

Assisted Solution

by:jorlando66
jorlando66 earned 20 total points
ID: 33700529
You can assign this by organizational unit by delegating control to the user. This way they cdn add/remove/update users from specific OU's and be restricted from others.  In ADUC right click the OU and select delegate control.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 30 total points
ID: 33700645
Yep - thats the way to go - you can't use a built in group - you would give them too much  - Create a new Security group for the users you want to delegate to - add their accounts to this security group.

Create an Organisational unit containing the accounts you want them to be able to control (or you can use the domain if you want them all)

Right click on the OU (or domain) and select Delegate control and select the new security group and the tasks that you want them to be able to perform.

So that they can do this from their own machines - without the need to log onto the DC - which would be bad - ass the remote server admin tools to their PCs - you can optionally also create a taskpad to make it more simple for them

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en

or

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D

0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33700836
You can also use the built in account operators group

Thanks

Mike
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 51

Expert Comment

by:Netman66
ID: 33701074
I second the Account Operators group.

0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 33701126
Third!
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33702129
You have to be careful with account operators - because they have full permissions over computer accounts as well, including domain controller accounts by default.

Built-in groups ARE too powerful, create a group and delegate all the specific permissions you need.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 33703216
I challenge you to delete a DC as Account Operator only.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 33703256
Quote:

Account Operators is a default groups located in the Builtin container. Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Therefore, the Account Operators group has significant power in the domain and we recommend that you add members to it with caution.  

End Quote.

There is a bug that I am not certain is fixed whereby a member server promoted to DC retains the Account Operator FC ACE, but if the DC is in the Domain Controllers OU, then the Account Operator can't do anything other than log in to it (and shut it down - which is bad enough).
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33703305
If you can figure out a way to elevate with just account operator rights and delete a DC then you will get a speaking spot at TEC or another conference showing how to do that.  
....and I'm not talking about if you have physical access to a DC and use those hacks...just logging in with an user in the account operators group
 
Thanks
Mike
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question