?
Solved

Limited Active Directory permissions for non admin user

Posted on 2013-01-17
5
Medium Priority
?
1,201 Views
Last Modified: 2013-01-17
Hello,
We have hired a Level 1 tech with about a year of experience. we want him to be able to reset passwords and unlock user accounts in active directory without giving him admin rights. i vaguely remember an AD tool (MMC) that was loaded to the local machine that would do this but i read somewhere that it was discontinued after Server 2000.

Any Ideas?

Thanks, and here is relevent info.

Server 2008.
0
Comment
Question by:CLSmithAdmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38788010
Great question and good thought to not give them domain admin.  The tool they would use is Active Directory Users and Computers

You can delegate tasks to the Level 1 tech using the delegation control wizard.  The wizard gives you some decent default choices.

You can also extend that wizard

http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html

Thanks

Mike
0
 

Author Comment

by:CLSmithAdmin
ID: 38788096
Thank you for this, but how then does the user get to AD users and groups? he doesn't have rights to log into the Domain controller where AD is located. is there a remote MMC for AD Users and Computers? I suggested to my counterpart a RDP session directly to that, using admin credentials, but he is skeptical.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 38788159
You can download the RSAT tools on the users machine   http://www.microsoft.com/en-us/download/details.aspx?id=7887

more on the install http://www.petri.co.il/remote-server-administration-tools-for-windows-7.htm

Thanks

Mike
0
 

Author Comment

by:CLSmithAdmin
ID: 38788258
Thank you very much!
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38788418
No problem, and nice work not making him an admin.

Thanks

Mike
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question