Solved

Delegate Control

Posted on 2012-04-04
4
403 Views
Last Modified: 2012-06-18
I have a junior administrator who I want to have control of common tasks, such as adding users in AD, and reset passwords.  Currently he is a member of the domain admins group.  Can I create another security group and then do some kind of delegation of the controls they have?
0
Comment
Question by:PC4N6
  • 2
4 Comments
 
LVL 21

Expert Comment

by:RK
ID: 37806317
Hi,

Yes, you can do this. 1) Remove the user from domain admin group 2) create an OU and move the user into that, right click the user and run the delegate control access on this user and select the appropriate permission you would like to give. 3) If you are not happy to create an OU for a single user then, you can run the delegate permission against this user and give the appropriate permissions.
0
 

Author Comment

by:PC4N6
ID: 37806328
What do I need to grant access to for low level administration?
0
 
LVL 21

Accepted Solution

by:
RK earned 500 total points
ID: 37806385
Please have a look at this article for step by step procedures http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/

Giving grant access is upto you and you decide whatever the permission you are going to give the user (I.e- reset users passwords, adding machines into domain etc..)

"Good Luck"
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 37806691
Sometime people use delegation for the wrong reasons.
You can just remove the junior administrator from the Domain Admins group and make him/her a member of the Account Operators group.
This is a builtin group with very limit permissions specifically around account create/deletion/reset pass
http://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx

Builtin groups have been around forever and the permissions associated with these groups have been research and tested by Microsoft themselves.
Although it is always advisable to use the builtin groups, there are time when you may need to use delegation.

See the article below which debates: Built-in Groups vs. Delegation
http://www.windowsecurity.com/articles/built-in-groups-delegation.html
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question