Solved

Domain Admins

Posted on 2012-04-05
6
435 Views
Last Modified: 2012-04-19
We run Windows 2003 Active Directory on a single domain.I would like certain people to have the ability to unlock user accounts when they get locked out. Do they have to be Domain Admins to do this? I would rather not if I do not have to. I am trying to limit the number of Domain Admins we have but at the same time delegate more responsibility to certain individuals.
0
Comment
Question by:InSearchOf
6 Comments
 
LVL 6

Expert Comment

by:emadallan
ID: 37811835
here are the required steps:
http://support.microsoft.com/kb/294952/en-us
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 37811863
Nope. You just need to modify the security rights on the particular OU(s) which the non-Domain Admin users to give those users the ability to read and write the "lockoutTime" attribute on User account objects.

You can either enable 'Advanced' view in AD Users & Computers, and edit the Security tab directly. Or, use the Delegation of Control wizard, which was specifically designed to make setting security a breeze: http://technet.microsoft.com/en-us/library/cc732524.aspx

The various protected groups, but especially Administrators, Domain Admins and Enterprise Admins, really do need to be controlled and managed like they are the keys to the kingdom. A Domain Admin has ultimate control over the domain, and Enterprise Admins over the whole forest (if you're in a multi-domain environment) - including the ability to destroy it. No standard user account used on a day-to-day basis at a workstation should be assigned Domain Admin rights, and only those who are really trusted should have access to use such an account when required. Everything else can be delegated to users without elevating their rights to this level.

-Matt
0
 

Author Comment

by:InSearchOf
ID: 37812182
Excellent! Thanks for the help.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 250 total points
ID: 37812397
Microsoft used to advocate the use of builtin groups first, not gonna bother looking for docs to prove a point but. yeah sorry! getting ready for the long weekend.
Builtin groups have been around forever(since Windows  and the permissions associated with these groups have been research and tested by Microsoft themselves.
Although it is always advisable to use the builtin groups, there are time when you may need to use delegation.
http://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx

I'm not saying this to bash any of the advice given above, but sometime people use delegation for the wrong reasons.
In cases where the builtin accounts don't offer the require permissions then you're forced to use delegation.
See the article below which debates: Built-in Groups vs. Delegation and then you decide which will work best for you.
http://www.windowsecurity.com/articles/built-in-groups-delegation.html

Based on your questions I'm assuming that you're not very experienced with setting up permissions.
You also state that you want to control permissions and responsibilities in the department.

The problem that I have with delegated permissions in "inexperienced" hands is that the permissions are hidden from you.
Not as easily to find/remember as opposed to check group membership under the "Member Of" tab.
0
 
LVL 6

Expert Comment

by:emadallan
ID: 37812471
i don't agree with you that: delegated permissions in "inexperienced" hands is that the permissions are hidden from you! because any delegated privilege you assign to a user you will find it in security tab of that OU, and from there you can see all the permission that you have given to users and group.
0

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now