Password reset for an user or moving him not possible for some AD administrators

Posted on 2012-09-10
Last Modified: 2012-10-04
Hi there,

we have a problem with our Active Directory administrators. Some of them are not able to reset a password for some users or move them to another OU. They are NOT domain admins. Do you know some best practices for setting rights for such administrators? They primarily have to manage user accounts (add/delete users, move them...), add user-groups and add computers to the domain. Another admin is responsible for managing the OUs and another one for managing the group policies.
Are their issues with owner of an user, e.g. if a domain admin has created it a "normal" admin can not manage it completely?

Some tips would be gread!

Regards, Ralph
Question by:maxworx
    LVL 39

    Assisted Solution

    by:Krzysztof Pytko
    You should consider in this case task delegation using to Active Directory Rights Delegation wizard.

    If you're interested, please visit my blog and read article for that

    LVL 11

    Accepted Solution

    Hi Ralph,

    You could styudy this great documentation, online or offline

    To quickly answer your question, your administrators responsible for the same tasks should be added to a security group especially designed for this role.
    This security group should get rights on Active Directory tree, basically:
    - Reset Password for User Object only
    - Delete/Create User Object (this operation result in a "move", delete from strart OU, create in destination OU)
    - Modify attributes member/memberof for User Object and Group Object

    Managing OUs should be in a separate role, as well as managing Group Policies. You have to add on each GPO object the requested security groups. There is other way, but it requires to change Schema.

    Hope this will help you.

    Featured Post

    Don't lose your head updating email signatures!

    Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users should you!

    Join & Write a Comment

    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now