Solved

Delegate Control

Posted on 2012-04-04
4
411 Views
Last Modified: 2012-06-18
I have a junior administrator who I want to have control of common tasks, such as adding users in AD, and reset passwords.  Currently he is a member of the domain admins group.  Can I create another security group and then do some kind of delegation of the controls they have?
0
Comment
Question by:PC4N6
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 21

Expert Comment

by:Radhakrishnan R
ID: 37806317
Hi,

Yes, you can do this. 1) Remove the user from domain admin group 2) create an OU and move the user into that, right click the user and run the delegate control access on this user and select the appropriate permission you would like to give. 3) If you are not happy to create an OU for a single user then, you can run the delegate permission against this user and give the appropriate permissions.
0
 

Author Comment

by:PC4N6
ID: 37806328
What do I need to grant access to for low level administration?
0
 
LVL 21

Accepted Solution

by:
Radhakrishnan R earned 500 total points
ID: 37806385
Please have a look at this article for step by step procedures http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/

Giving grant access is upto you and you decide whatever the permission you are going to give the user (I.e- reset users passwords, adding machines into domain etc..)

"Good Luck"
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 37806691
Sometime people use delegation for the wrong reasons.
You can just remove the junior administrator from the Domain Admins group and make him/her a member of the Account Operators group.
This is a builtin group with very limit permissions specifically around account create/deletion/reset pass
http://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx

Builtin groups have been around forever and the permissions associated with these groups have been research and tested by Microsoft themselves.
Although it is always advisable to use the builtin groups, there are time when you may need to use delegation.

See the article below which debates: Built-in Groups vs. Delegation
http://www.windowsecurity.com/articles/built-in-groups-delegation.html
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question