Solved

Custom delegation in Active Directory

Posted on 2011-02-22
3
672 Views
Last Modified: 2012-05-11
Dear All,

I’m looking to delegate some work for a group of Helpdesk engineers, I need help to do the following:
1- Give this group permission to create users, rest password, add/remove users from groups, edit user’s info & join/disjoin computers from domain.

2- How I can do a custom Active Directory user & Computer console so the helpdesk engineers will see only a certain OU in the active directory.

Note: I have windows 2008 R2 Active Directory.

Thanks
0
Comment
Question by:Arabsoft_Security
  • 2
3 Comments
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 166 total points
ID: 34955631
The most simple way for that is placing HelpDesk group into built-in "Account Operators" group within a domain. Then they will be able to manage all those things you mentioned above. Of course they won't be able to reset/unlock domain admins and cannot change "Domain Admins" group etc.

If you wish to allow them only particular OU, I would suggest delegate rights to that OU using delegation wizard.

When you decide to add them into "Account Operators" group, you shouldn't hide any OU. I don't recommend hidding OUs because if a user has no appropriate rights, cannot do anything except read object.

Regards,
Krzysztof
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 334 total points
ID: 34955676
I would stay away from using built-in groups. You could give the group full control of users objects in a specific OU or finer control to only what you want using the delegation wizard.

You can give them permissions to add computer through a GPO.

You can create a taskpad view of an OU

http://www.petri.co.il/create_taskpads_for_ad_operations.htm
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 334 total points
ID: 34955731
Forgot to post this link. This is why I would not recomend using the built-in groups. It may be giving the users more rights than they need to have

http://www.windowsecurity.com/articles/Built-in-Groups-Delegation.html
0

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now