Solved

Windows 2008 R2 Active Directory Administration

Posted on 2010-09-17
9
734 Views
Last Modified: 2012-06-21
Which group should a user belong to to be able to add/remove/update users without being an Active Directory Domain Administrator?
0
Comment
Question by:Darek_Danielewski
9 Comments
 
LVL 10

Assisted Solution

by:jorlando66
jorlando66 earned 20 total points
ID: 33700529
You can assign this by organizational unit by delegating control to the user. This way they cdn add/remove/update users from specific OU's and be restricted from others.  In ADUC right click the OU and select delegate control.
0
 
LVL 70

Accepted Solution

by:
KCTS earned 30 total points
ID: 33700645
Yep - thats the way to go - you can't use a built in group - you would give them too much  - Create a new Security group for the users you want to delegate to - add their accounts to this security group.

Create an Organisational unit containing the accounts you want them to be able to control (or you can use the domain if you want them all)

Right click on the OU (or domain) and select Delegate control and select the new security group and the tasks that you want them to be able to perform.

So that they can do this from their own machines - without the need to log onto the DC - which would be bad - ass the remote server admin tools to their PCs - you can optionally also create a taskpad to make it more simple for them

http://www.microsoft.com/downloads/en/details.aspx?FamilyId=9FF6E897-23CE-4A36-B7FC-D52065DE9960&displaylang=en

or

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D

0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33700836
You can also use the built in account operators group

Thanks

Mike
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 51

Expert Comment

by:Netman66
ID: 33701074
I second the Account Operators group.

0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 33701126
Third!
0
 
LVL 7

Expert Comment

by:grantsewell
ID: 33702129
You have to be careful with account operators - because they have full permissions over computer accounts as well, including domain controller accounts by default.

Built-in groups ARE too powerful, create a group and delegate all the specific permissions you need.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 33703216
I challenge you to delete a DC as Account Operator only.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 33703256
Quote:

Account Operators is a default groups located in the Builtin container. Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Therefore, the Account Operators group has significant power in the domain and we recommend that you add members to it with caution.  

End Quote.

There is a bug that I am not certain is fixed whereby a member server promoted to DC retains the Account Operator FC ACE, but if the DC is in the Domain Controllers OU, then the Account Operator can't do anything other than log in to it (and shut it down - which is bad enough).
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33703305
If you can figure out a way to elevate with just account operator rights and delete a DC then you will get a speaking spot at TEC or another conference showing how to do that.  
....and I'm not talking about if you have physical access to a DC and use those hacks...just logging in with an user in the account operators group
 
Thanks
Mike
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
extended monitor print screen 8 31
Cannot view members of new distributionlist 2 28
Group Policy Mapped Drives - Work Offline? 7 23
EXCHANGE, ACTIVE DIRECTORY 1 29
Both MMF (multi-mode fiber) and SMF (single-mode fiber) are types of optical fiber that can aid in communication applications. These thin strands of silica or glass will allow communication to occur between devices. The transmission of light between…
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question