Solved

Custom delegation in Active Directory

Posted on 2011-02-22
3
710 Views
Last Modified: 2012-05-11
Dear All,

I’m looking to delegate some work for a group of Helpdesk engineers, I need help to do the following:
1- Give this group permission to create users, rest password, add/remove users from groups, edit user’s info & join/disjoin computers from domain.

2- How I can do a custom Active Directory user & Computer console so the helpdesk engineers will see only a certain OU in the active directory.

Note: I have windows 2008 R2 Active Directory.

Thanks
0
Comment
Question by:Arabsoft_Security
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 166 total points
ID: 34955631
The most simple way for that is placing HelpDesk group into built-in "Account Operators" group within a domain. Then they will be able to manage all those things you mentioned above. Of course they won't be able to reset/unlock domain admins and cannot change "Domain Admins" group etc.

If you wish to allow them only particular OU, I would suggest delegate rights to that OU using delegation wizard.

When you decide to add them into "Account Operators" group, you shouldn't hide any OU. I don't recommend hidding OUs because if a user has no appropriate rights, cannot do anything except read object.

Regards,
Krzysztof
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 334 total points
ID: 34955676
I would stay away from using built-in groups. You could give the group full control of users objects in a specific OU or finer control to only what you want using the delegation wizard.

You can give them permissions to add computer through a GPO.

You can create a taskpad view of an OU

http://www.petri.co.il/create_taskpads_for_ad_operations.htm
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 334 total points
ID: 34955731
Forgot to post this link. This is why I would not recomend using the built-in groups. It may be giving the users more rights than they need to have

http://www.windowsecurity.com/articles/Built-in-Groups-Delegation.html
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question