[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Domain Admins

Posted on 2012-04-05
6
Medium Priority
?
442 Views
Last Modified: 2012-04-19
We run Windows 2003 Active Directory on a single domain.I would like certain people to have the ability to unlock user accounts when they get locked out. Do they have to be Domain Admins to do this? I would rather not if I do not have to. I am trying to limit the number of Domain Admins we have but at the same time delegate more responsibility to certain individuals.
0
Comment
Question by:InSearchOf
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 6

Expert Comment

by:emadallan
ID: 37811835
here are the required steps:
http://support.microsoft.com/kb/294952/en-us
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 1000 total points
ID: 37811863
Nope. You just need to modify the security rights on the particular OU(s) which the non-Domain Admin users to give those users the ability to read and write the "lockoutTime" attribute on User account objects.

You can either enable 'Advanced' view in AD Users & Computers, and edit the Security tab directly. Or, use the Delegation of Control wizard, which was specifically designed to make setting security a breeze: http://technet.microsoft.com/en-us/library/cc732524.aspx

The various protected groups, but especially Administrators, Domain Admins and Enterprise Admins, really do need to be controlled and managed like they are the keys to the kingdom. A Domain Admin has ultimate control over the domain, and Enterprise Admins over the whole forest (if you're in a multi-domain environment) - including the ability to destroy it. No standard user account used on a day-to-day basis at a workstation should be assigned Domain Admin rights, and only those who are really trusted should have access to use such an account when required. Everything else can be delegated to users without elevating their rights to this level.

-Matt
0
 

Author Comment

by:InSearchOf
ID: 37812182
Excellent! Thanks for the help.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 1000 total points
ID: 37812397
Microsoft used to advocate the use of builtin groups first, not gonna bother looking for docs to prove a point but. yeah sorry! getting ready for the long weekend.
Builtin groups have been around forever(since Windows  and the permissions associated with these groups have been research and tested by Microsoft themselves.
Although it is always advisable to use the builtin groups, there are time when you may need to use delegation.
http://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx

I'm not saying this to bash any of the advice given above, but sometime people use delegation for the wrong reasons.
In cases where the builtin accounts don't offer the require permissions then you're forced to use delegation.
See the article below which debates: Built-in Groups vs. Delegation and then you decide which will work best for you.
http://www.windowsecurity.com/articles/built-in-groups-delegation.html

Based on your questions I'm assuming that you're not very experienced with setting up permissions.
You also state that you want to control permissions and responsibilities in the department.

The problem that I have with delegated permissions in "inexperienced" hands is that the permissions are hidden from you.
Not as easily to find/remember as opposed to check group membership under the "Member Of" tab.
0
 
LVL 6

Expert Comment

by:emadallan
ID: 37812471
i don't agree with you that: delegated permissions in "inexperienced" hands is that the permissions are hidden from you! because any delegated privilege you assign to a user you will find it in security tab of that OU, and from there you can see all the permission that you have given to users and group.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question