?
Solved

How do I provide limited Active Directory access so that a Helpdesk tech can utilize it to perform basic functions?

Posted on 2014-01-02
7
Medium Priority
?
364 Views
Last Modified: 2014-01-20
I have a Helpdesk tech that I would like to offload basic SysAdmin duties to. I would like to provide him access to Active Directory to do the simple functions like resetting Windows account, unlocking accounts, and changing password, etc. How do I configure AD for him so that he can perform only these functions? I do not want to give more access than that.

Environment: AD on Windows Server 2008 R2 Enterprise
0
Comment
Question by:jaedenone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 19

Accepted Solution

by:
Jeremy Weisinger earned 1000 total points
ID: 39753180
The Delegation of Control wizard should do the trick for you:
http://technet.microsoft.com/en-us/library/dd145344.aspx
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 39753182
This is a built in feature of Active Directory and is known as authority delegation. A good starting document is here:

http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx

Technet has a best practices guide and several more write-ups as well.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39753183
Yes, like Jeremy mentioned, the delegation wizard will help you out nicely.

There's a nice how-to to be found here: http://kpytko.pl/2012/05/16/active-directory-rights-delegation-overview/
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 4

Expert Comment

by:Pradeep VIshwakarma
ID: 39753299
However, always delegate rights to groups instead of individual users. Create a dedicated security group just for this particular rights delegation. It is much easier to manage those delegated rights by add/removing group membership than having to go back into the wizard or the security screen when you need make a change down the road.

Using a group makes the change more visible. No one would know a change has been made unless you go digging or have excellent documentation when making individual right changes to objects.

or


    Right Click on the OU that contains those users whose passwords you want to be reset
    Delegate Control
    Select the group/user you want to delegate rights to, Next.
    Select Create a custom task to delegate, Next.
    Select 'Only the following objects in the folder'
    Select 'User objects', Next.
    Unselect general
    Select property-specific
    Select read lockout time
    Select write lockout time
    Next, Finish.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 39753529
Typically when providing delegated access to groups I would personally create a new OU called Delegation Task (or something meaningful) and put all of the groups in the OU. From there you can then restrict access to this OU so that modifications cannot be done by anyone without access.

Security groups should also have meaningful names as well some examples would be

AD_USER_MOD (group to modify AD User attributes)
AD_COMP_MOD (group to modify AD Computer attributes)
AD_PASS_RESET (group to reset passwords for user account)
etc...

This is totally optional and I just wanted to provide some insight that having a meaningful displayname is much nicer than filling out the "description", althought still a good practice to do both.

Will.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39755713
In addition you can also refer below KB link.

How to Delegate Basic Server Administration To Junior Administrators  http://support.microsoft.com/kb/555986
0
 
LVL 4

Expert Comment

by:michaelalphi
ID: 39764311
The good way to do this is by creating an OU structure so that you can delegate permissions and GPOs separately to different objects of AD. Please check this link for more info.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question