Solved

how to delegate administration of all users in an OU to a user

Posted on 2011-02-10
3
689 Views
Last Modified: 2012-05-11
We want to delegate administration of our staff OU to a receptionist so they can update user details (mostly phone number) , reset passwords, etc. (server 2003 R2)

I have installed adminpak on the receptionist PC and delegated administrative rights on the OU as described here: http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html

We find that the receptionist can ammend the phone numbers of most users in the OU, but some users appear to be read only and she cannot change their properties.  All users are in the same OU, it is hard to see what is different between the users she can change, and the ones she can't.

Any help appreciated.
0
Comment
Question by:VAWD
3 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
Comment Utility

Any of the users administrative users?

Members of protected groups do not inherit permissions from the regular AD hierarchy. This is to prevent right escalation by someone resetting a password for a privileged account.

For instance, if you could reset a password on a Domain Admin account you suddenly are a domain admin.

Chris
0
 
LVL 13

Expert Comment

by:Felix Leven
Comment Utility
Was there a 2008 server in the domain ?
0
 

Author Closing Comment

by:VAWD
Comment Utility
Thats it.  Thanks
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now