Domain Admins

We run Windows 2003 Active Directory on a single domain.I would like certain people to have the ability to unlock user accounts when they get locked out. Do they have to be Domain Admins to do this? I would rather not if I do not have to. I am trying to limit the number of Domain Admins we have but at the same time delegate more responsibility to certain individuals.
InSearchOfAsked:
Who is Participating?
 
tigermattConnect With a Mentor Commented:
Nope. You just need to modify the security rights on the particular OU(s) which the non-Domain Admin users to give those users the ability to read and write the "lockoutTime" attribute on User account objects.

You can either enable 'Advanced' view in AD Users & Computers, and edit the Security tab directly. Or, use the Delegation of Control wizard, which was specifically designed to make setting security a breeze: http://technet.microsoft.com/en-us/library/cc732524.aspx

The various protected groups, but especially Administrators, Domain Admins and Enterprise Admins, really do need to be controlled and managed like they are the keys to the kingdom. A Domain Admin has ultimate control over the domain, and Enterprise Admins over the whole forest (if you're in a multi-domain environment) - including the ability to destroy it. No standard user account used on a day-to-day basis at a workstation should be assigned Domain Admin rights, and only those who are really trusted should have access to use such an account when required. Everything else can be delegated to users without elevating their rights to this level.

-Matt
0
 
emadallanCommented:
here are the required steps:
http://support.microsoft.com/kb/294952/en-us
0
 
InSearchOfAuthor Commented:
Excellent! Thanks for the help.
0
 
Leon FesterConnect With a Mentor IT Project Change ManagerCommented:
Microsoft used to advocate the use of builtin groups first, not gonna bother looking for docs to prove a point but. yeah sorry! getting ready for the long weekend.
Builtin groups have been around forever(since Windows  and the permissions associated with these groups have been research and tested by Microsoft themselves.
Although it is always advisable to use the builtin groups, there are time when you may need to use delegation.
http://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx

I'm not saying this to bash any of the advice given above, but sometime people use delegation for the wrong reasons.
In cases where the builtin accounts don't offer the require permissions then you're forced to use delegation.
See the article below which debates: Built-in Groups vs. Delegation and then you decide which will work best for you.
http://www.windowsecurity.com/articles/built-in-groups-delegation.html

Based on your questions I'm assuming that you're not very experienced with setting up permissions.
You also state that you want to control permissions and responsibilities in the department.

The problem that I have with delegated permissions in "inexperienced" hands is that the permissions are hidden from you.
Not as easily to find/remember as opposed to check group membership under the "Member Of" tab.
0
 
emadallanCommented:
i don't agree with you that: delegated permissions in "inexperienced" hands is that the permissions are hidden from you! because any delegated privilege you assign to a user you will find it in security tab of that OU, and from there you can see all the permission that you have given to users and group.
0
All Courses

From novice to tech pro — start learning today.