Solved

Delegate Control

Posted on 2012-04-04
4
398 Views
Last Modified: 2012-06-18
I have a junior administrator who I want to have control of common tasks, such as adding users in AD, and reset passwords.  Currently he is a member of the domain admins group.  Can I create another security group and then do some kind of delegation of the controls they have?
0
Comment
Question by:PC4N6
  • 2
4 Comments
 
LVL 21

Expert Comment

by:RK
ID: 37806317
Hi,

Yes, you can do this. 1) Remove the user from domain admin group 2) create an OU and move the user into that, right click the user and run the delegate control access on this user and select the appropriate permission you would like to give. 3) If you are not happy to create an OU for a single user then, you can run the delegate permission against this user and give the appropriate permissions.
0
 

Author Comment

by:PC4N6
ID: 37806328
What do I need to grant access to for low level administration?
0
 
LVL 21

Accepted Solution

by:
RK earned 500 total points
ID: 37806385
Please have a look at this article for step by step procedures http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/

Giving grant access is upto you and you decide whatever the permission you are going to give the user (I.e- reset users passwords, adding machines into domain etc..)

"Good Luck"
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 37806691
Sometime people use delegation for the wrong reasons.
You can just remove the junior administrator from the Domain Admins group and make him/her a member of the Account Operators group.
This is a builtin group with very limit permissions specifically around account create/deletion/reset pass
http://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx

Builtin groups have been around forever and the permissions associated with these groups have been research and tested by Microsoft themselves.
Although it is always advisable to use the builtin groups, there are time when you may need to use delegation.

See the article below which debates: Built-in Groups vs. Delegation
http://www.windowsecurity.com/articles/built-in-groups-delegation.html
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now