?
Solved

how can i delegate rights to my helpdesk guy to some minimum rights as below only.

Posted on 2011-10-29
5
Medium Priority
?
463 Views
Last Modified: 2012-09-17
how can i delegate rights to my helpdesk guy to (a)Add system to domain.(b)Remove system from Domain.(c)Reset local admin password (d) Add user in Remote Desktop User Group of any system only.
0
Comment
Question by:mrityu_swain
5 Comments
 
LVL 26

Expert Comment

by:Sekar Chinnakannu
ID: 37049692
Using delegate rights you can configure an account as your like. Check this article you come to know how to delegate rights to helpdesk. http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
0
 
LVL 6

Expert Comment

by:infoplateform
ID: 37050321
One of the most significant reasons for creating an OU (Organizational Unit) structure in AD DS (Active Directory Domain Services) is for the purpose of delegating administration to a divide administrator or administrative group. AD DS permits for this level of administrative granularity in a single domain.

A group of users can be easily permitted specific levels of administrative access to a subset of users. For instance, a remote IT group can be permitted standard user creation/deletion/password-change rights to its own OU. The process of delegating this type of access is quite simple and contains the following steps:

1. In Active Directory Users and Computers, right-click the OU where you want to delegate permissions, and choose Delegate Control.
2. Click Next at the Welcome screen.
3. Click Add to select the group to which you want to provide access.
4. Type the name of the group, and click OK.
5. Click Next to continue.
6. Under Delegate the Following Common Tasks, choose the permissions you want and click Next to continue.
7. Select Create, Delete, and Manage User Accounts, and then click Next.
8. Click Finish to confirm the modifications.

In fact, the Delegation of Control Wizard permits for a very specific degree of administrative granularity. If required, an administrator can delegate a group of users to be able to alter or change only phone numbers or similar functionality for users in a specific OU. Custom tasks can be created and enabled on OUs to accomplish this and many other administrative tasks. For the most part, a very large percentage of all the types of administration that could possibly be needed for delegation can work in this way. To use the phone administration example, follow these steps to set up custom delegation:

1. In AD DS Users and Computers, right-click the OU where you want to delegate permissions, and choose Delegate Control.
2. Click Next at the Welcome screen.
3. Click Add to select the group to which you want to provide access.
4. Type the name of the group, and click OK.
5. Click Next to continue.
6. Select Create a Custom Task to Delegate, and click Next.
7. Under Delegate Control Of, choose Only the Following Objects in the Folder.
8. Check Users Objects and click Next.
9. Under Permissions, check Read and Write Phone and Mail Options and click Next.
10. Click Finish to confirm the modifications.

The possible differences are huge, but the concept is sound. AD DS’s ability to delegate administrative functionality to this degree of granularity is one of the most important benefits inbuilt in Windows 2008.

http://www.itechtalk.com/thread1793.html

With SnapShot

http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 2000 total points
ID: 37051693
As you need your helpdesk admin to have full access to workstation PC to perfrom admin relates task such as installation of application,change setting of PC's,etc.You need to add the helpdesk id to local administartor group of all PC.You can achieve the same as below.

1.Restricted Group policy
2.Startup Script.

Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group
That's it....the next time the computers are started, the group will be added to the local admin group.

Instead of group you can mention userid as below
NET localgroup Administrators /add "domain_name\domain_Userid"

If you want to configure restricted group refer this link:http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

Now regarding how the helpdesk admin will perform domain related activities like adding PC to domain or reset userid password,etc you can use deleagation of control to acieve the same.
http://technet.microsoft.com/en-us/library/cc756087%28WS.10%29.aspx

0
 

Author Closing Comment

by:mrityu_swain
ID: 37052645
This is the exact resolution to my problem.Thank you Sandesh for the solution.
Thank you all for your kind help.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question