Solved

Delegate Control

Posted on 2012-04-04
4
393 Views
Last Modified: 2012-06-18
I have a junior administrator who I want to have control of common tasks, such as adding users in AD, and reset passwords.  Currently he is a member of the domain admins group.  Can I create another security group and then do some kind of delegation of the controls they have?
0
Comment
Question by:PC4N6
  • 2
4 Comments
 
LVL 20

Expert Comment

by:Radhakrishnan Rajayyan
ID: 37806317
Hi,

Yes, you can do this. 1) Remove the user from domain admin group 2) create an OU and move the user into that, right click the user and run the delegate control access on this user and select the appropriate permission you would like to give. 3) If you are not happy to create an OU for a single user then, you can run the delegate permission against this user and give the appropriate permissions.
0
 

Author Comment

by:PC4N6
ID: 37806328
What do I need to grant access to for low level administration?
0
 
LVL 20

Accepted Solution

by:
Radhakrishnan Rajayyan earned 500 total points
ID: 37806385
Please have a look at this article for step by step procedures http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/

Giving grant access is upto you and you decide whatever the permission you are going to give the user (I.e- reset users passwords, adding machines into domain etc..)

"Good Luck"
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 37806691
Sometime people use delegation for the wrong reasons.
You can just remove the junior administrator from the Domain Admins group and make him/her a member of the Account Operators group.
This is a builtin group with very limit permissions specifically around account create/deletion/reset pass
http://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx

Builtin groups have been around forever and the permissions associated with these groups have been research and tested by Microsoft themselves.
Although it is always advisable to use the builtin groups, there are time when you may need to use delegation.

See the article below which debates: Built-in Groups vs. Delegation
http://www.windowsecurity.com/articles/built-in-groups-delegation.html
0

Featured Post

Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

Join & Write a Comment

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now