?
Solved

Custom delegation in Active Directory

Posted on 2011-02-22
3
Medium Priority
?
719 Views
Last Modified: 2012-05-11
Dear All,

I’m looking to delegate some work for a group of Helpdesk engineers, I need help to do the following:
1- Give this group permission to create users, rest password, add/remove users from groups, edit user’s info & join/disjoin computers from domain.

2- How I can do a custom Active Directory user & Computer console so the helpdesk engineers will see only a certain OU in the active directory.

Note: I have windows 2008 R2 Active Directory.

Thanks
0
Comment
Question by:Arabsoft_Security
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 664 total points
ID: 34955631
The most simple way for that is placing HelpDesk group into built-in "Account Operators" group within a domain. Then they will be able to manage all those things you mentioned above. Of course they won't be able to reset/unlock domain admins and cannot change "Domain Admins" group etc.

If you wish to allow them only particular OU, I would suggest delegate rights to that OU using delegation wizard.

When you decide to add them into "Account Operators" group, you shouldn't hide any OU. I don't recommend hidding OUs because if a user has no appropriate rights, cannot do anything except read object.

Regards,
Krzysztof
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 1336 total points
ID: 34955676
I would stay away from using built-in groups. You could give the group full control of users objects in a specific OU or finer control to only what you want using the delegation wizard.

You can give them permissions to add computer through a GPO.

You can create a taskpad view of an OU

http://www.petri.co.il/create_taskpads_for_ad_operations.htm
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 1336 total points
ID: 34955731
Forgot to post this link. This is why I would not recomend using the built-in groups. It may be giving the users more rights than they need to have

http://www.windowsecurity.com/articles/Built-in-Groups-Delegation.html
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question