[Last Call] Learn how to a build a cloud-first strategyRegister Now


Password reset for an user or moving him not possible for some AD administrators

Posted on 2012-09-10
Medium Priority
Last Modified: 2012-10-04
Hi there,

we have a problem with our Active Directory administrators. Some of them are not able to reset a password for some users or move them to another OU. They are NOT domain admins. Do you know some best practices for setting rights for such administrators? They primarily have to manage user accounts (add/delete users, move them...), add user-groups and add computers to the domain. Another admin is responsible for managing the OUs and another one for managing the group policies.
Are their issues with owner of an user, e.g. if a domain admin has created it a "normal" admin can not manage it completely?

Some tips would be gread!

Regards, Ralph
Question by:maxworx
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 750 total points
ID: 38382455
You should consider in this case task delegation using to Active Directory Rights Delegation wizard.

If you're interested, please visit my blog and read article for that

LVL 11

Accepted Solution

Tasmant earned 750 total points
ID: 38382464
Hi Ralph,

You could styudy this great documentation, online or offline

To quickly answer your question, your administrators responsible for the same tasks should be added to a security group especially designed for this role.
This security group should get rights on Active Directory tree, basically:
- Reset Password for User Object only
- Delete/Create User Object (this operation result in a "move", delete from strart OU, create in destination OU)
- Modify attributes member/memberof for User Object and Group Object

Managing OUs should be in a separate role, as well as managing Group Policies. You have to add on each GPO object the requested security groups. There is other way, but it requires to change Schema.

Hope this will help you.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question