Solved

Domain Admins

Posted on 2012-04-05
6
437 Views
Last Modified: 2012-04-19
We run Windows 2003 Active Directory on a single domain.I would like certain people to have the ability to unlock user accounts when they get locked out. Do they have to be Domain Admins to do this? I would rather not if I do not have to. I am trying to limit the number of Domain Admins we have but at the same time delegate more responsibility to certain individuals.
0
Comment
Question by:InSearchOf
6 Comments
 
LVL 6

Expert Comment

by:emadallan
ID: 37811835
here are the required steps:
http://support.microsoft.com/kb/294952/en-us
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 250 total points
ID: 37811863
Nope. You just need to modify the security rights on the particular OU(s) which the non-Domain Admin users to give those users the ability to read and write the "lockoutTime" attribute on User account objects.

You can either enable 'Advanced' view in AD Users & Computers, and edit the Security tab directly. Or, use the Delegation of Control wizard, which was specifically designed to make setting security a breeze: http://technet.microsoft.com/en-us/library/cc732524.aspx

The various protected groups, but especially Administrators, Domain Admins and Enterprise Admins, really do need to be controlled and managed like they are the keys to the kingdom. A Domain Admin has ultimate control over the domain, and Enterprise Admins over the whole forest (if you're in a multi-domain environment) - including the ability to destroy it. No standard user account used on a day-to-day basis at a workstation should be assigned Domain Admin rights, and only those who are really trusted should have access to use such an account when required. Everything else can be delegated to users without elevating their rights to this level.

-Matt
0
 

Author Comment

by:InSearchOf
ID: 37812182
Excellent! Thanks for the help.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 250 total points
ID: 37812397
Microsoft used to advocate the use of builtin groups first, not gonna bother looking for docs to prove a point but. yeah sorry! getting ready for the long weekend.
Builtin groups have been around forever(since Windows  and the permissions associated with these groups have been research and tested by Microsoft themselves.
Although it is always advisable to use the builtin groups, there are time when you may need to use delegation.
http://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx

I'm not saying this to bash any of the advice given above, but sometime people use delegation for the wrong reasons.
In cases where the builtin accounts don't offer the require permissions then you're forced to use delegation.
See the article below which debates: Built-in Groups vs. Delegation and then you decide which will work best for you.
http://www.windowsecurity.com/articles/built-in-groups-delegation.html

Based on your questions I'm assuming that you're not very experienced with setting up permissions.
You also state that you want to control permissions and responsibilities in the department.

The problem that I have with delegated permissions in "inexperienced" hands is that the permissions are hidden from you.
Not as easily to find/remember as opposed to check group membership under the "Member Of" tab.
0
 
LVL 6

Expert Comment

by:emadallan
ID: 37812471
i don't agree with you that: delegated permissions in "inexperienced" hands is that the permissions are hidden from you! because any delegated privilege you assign to a user you will find it in security tab of that OU, and from there you can see all the permission that you have given to users and group.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question