Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Custom delegation in Active Directory

Posted on 2011-02-22
3
Medium Priority
?
723 Views
Last Modified: 2012-05-11
Dear All,

I’m looking to delegate some work for a group of Helpdesk engineers, I need help to do the following:
1- Give this group permission to create users, rest password, add/remove users from groups, edit user’s info & join/disjoin computers from domain.

2- How I can do a custom Active Directory user & Computer console so the helpdesk engineers will see only a certain OU in the active directory.

Note: I have windows 2008 R2 Active Directory.

Thanks
0
Comment
Question by:Arabsoft_Security
  • 2
3 Comments
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 664 total points
ID: 34955631
The most simple way for that is placing HelpDesk group into built-in "Account Operators" group within a domain. Then they will be able to manage all those things you mentioned above. Of course they won't be able to reset/unlock domain admins and cannot change "Domain Admins" group etc.

If you wish to allow them only particular OU, I would suggest delegate rights to that OU using delegation wizard.

When you decide to add them into "Account Operators" group, you shouldn't hide any OU. I don't recommend hidding OUs because if a user has no appropriate rights, cannot do anything except read object.

Regards,
Krzysztof
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 1336 total points
ID: 34955676
I would stay away from using built-in groups. You could give the group full control of users objects in a specific OU or finer control to only what you want using the delegation wizard.

You can give them permissions to add computer through a GPO.

You can create a taskpad view of an OU

http://www.petri.co.il/create_taskpads_for_ad_operations.htm
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 1336 total points
ID: 34955731
Forgot to post this link. This is why I would not recomend using the built-in groups. It may be giving the users more rights than they need to have

http://www.windowsecurity.com/articles/Built-in-Groups-Delegation.html
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question