Solved

Limited Active Directory permissions for non admin user

Posted on 2013-01-17
5
1,188 Views
Last Modified: 2013-01-17
Hello,
We have hired a Level 1 tech with about a year of experience. we want him to be able to reset passwords and unlock user accounts in active directory without giving him admin rights. i vaguely remember an AD tool (MMC) that was loaded to the local machine that would do this but i read somewhere that it was discontinued after Server 2000.

Any Ideas?

Thanks, and here is relevent info.

Server 2008.
0
Comment
Question by:CLSmithAdmin
  • 3
  • 2
5 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38788010
Great question and good thought to not give them domain admin.  The tool they would use is Active Directory Users and Computers

You can delegate tasks to the Level 1 tech using the delegation control wizard.  The wizard gives you some decent default choices.

You can also extend that wizard

http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html

Thanks

Mike
0
 

Author Comment

by:CLSmithAdmin
ID: 38788096
Thank you for this, but how then does the user get to AD users and groups? he doesn't have rights to log into the Domain controller where AD is located. is there a remote MMC for AD Users and Computers? I suggested to my counterpart a RDP session directly to that, using admin credentials, but he is skeptical.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 38788159
You can download the RSAT tools on the users machine   http://www.microsoft.com/en-us/download/details.aspx?id=7887

more on the install http://www.petri.co.il/remote-server-administration-tools-for-windows-7.htm

Thanks

Mike
0
 

Author Comment

by:CLSmithAdmin
ID: 38788258
Thank you very much!
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38788418
No problem, and nice work not making him an admin.

Thanks

Mike
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question