Solved

Custom delegation in Active Directory

Posted on 2011-02-22
3
683 Views
Last Modified: 2012-05-11
Dear All,

I’m looking to delegate some work for a group of Helpdesk engineers, I need help to do the following:
1- Give this group permission to create users, rest password, add/remove users from groups, edit user’s info & join/disjoin computers from domain.

2- How I can do a custom Active Directory user & Computer console so the helpdesk engineers will see only a certain OU in the active directory.

Note: I have windows 2008 R2 Active Directory.

Thanks
0
Comment
Question by:Arabsoft_Security
  • 2
3 Comments
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 166 total points
ID: 34955631
The most simple way for that is placing HelpDesk group into built-in "Account Operators" group within a domain. Then they will be able to manage all those things you mentioned above. Of course they won't be able to reset/unlock domain admins and cannot change "Domain Admins" group etc.

If you wish to allow them only particular OU, I would suggest delegate rights to that OU using delegation wizard.

When you decide to add them into "Account Operators" group, you shouldn't hide any OU. I don't recommend hidding OUs because if a user has no appropriate rights, cannot do anything except read object.

Regards,
Krzysztof
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 334 total points
ID: 34955676
I would stay away from using built-in groups. You could give the group full control of users objects in a specific OU or finer control to only what you want using the delegation wizard.

You can give them permissions to add computer through a GPO.

You can create a taskpad view of an OU

http://www.petri.co.il/create_taskpads_for_ad_operations.htm
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 334 total points
ID: 34955731
Forgot to post this link. This is why I would not recomend using the built-in groups. It may be giving the users more rights than they need to have

http://www.windowsecurity.com/articles/Built-in-Groups-Delegation.html
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now