asked on
How do I provide limited Active Directory access so that a Helpdesk tech can utilize it to perform basic functions?
I have a Helpdesk tech that I would like to offload basic SysAdmin duties to. I would like to provide him access to Active Directory to do the simple functions like resetting Windows account, unlocking accounts, and changing password, etc. How do I configure AD for him so that he can perform only these functions? I do not want to give more access than that.
Environment: AD on Windows Server 2008 R2 Enterprise
Environment: AD on Windows Server 2008 R2 Enterprise
Active DirectoryWindows Server 2008Network Security
Last Comment
michaelalphi
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Yes, like Jeremy mentioned, the delegation wizard will help you out nicely.
There's a nice how-to to be found here: http://kpytko.pl/2012/05/16/active-directory-rights-delegation-overview/
There's a nice how-to to be found here: http://kpytko.pl/2012/05/16/active-directory-rights-delegation-overview/
However, always delegate rights to groups instead of individual users. Create a dedicated security group just for this particular rights delegation. It is much easier to manage those delegated rights by add/removing group membership than having to go back into the wizard or the security screen when you need make a change down the road.
Using a group makes the change more visible. No one would know a change has been made unless you go digging or have excellent documentation when making individual right changes to objects.
or
Right Click on the OU that contains those users whose passwords you want to be reset
Delegate Control
Select the group/user you want to delegate rights to, Next.
Select Create a custom task to delegate, Next.
Select 'Only the following objects in the folder'
Select 'User objects', Next.
Unselect general
Select property-specific
Select read lockout time
Select write lockout time
Next, Finish.
Using a group makes the change more visible. No one would know a change has been made unless you go digging or have excellent documentation when making individual right changes to objects.
or
Right Click on the OU that contains those users whose passwords you want to be reset
Delegate Control
Select the group/user you want to delegate rights to, Next.
Select Create a custom task to delegate, Next.
Select 'Only the following objects in the folder'
Select 'User objects', Next.
Unselect general
Select property-specific
Select read lockout time
Select write lockout time
Next, Finish.
Typically when providing delegated access to groups I would personally create a new OU called Delegation Task (or something meaningful) and put all of the groups in the OU. From there you can then restrict access to this OU so that modifications cannot be done by anyone without access.
Security groups should also have meaningful names as well some examples would be
AD_USER_MOD (group to modify AD User attributes)
AD_COMP_MOD (group to modify AD Computer attributes)
AD_PASS_RESET (group to reset passwords for user account)
etc...
This is totally optional and I just wanted to provide some insight that having a meaningful displayname is much nicer than filling out the "description", althought still a good practice to do both.
Will.
Security groups should also have meaningful names as well some examples would be
AD_USER_MOD (group to modify AD User attributes)
AD_COMP_MOD (group to modify AD Computer attributes)
AD_PASS_RESET (group to reset passwords for user account)
etc...
This is totally optional and I just wanted to provide some insight that having a meaningful displayname is much nicer than filling out the "description", althought still a good practice to do both.
Will.
In addition you can also refer below KB link.
How to Delegate Basic Server Administration To Junior Administrators http://support.microsoft.com/kb/555986
How to Delegate Basic Server Administration To Junior Administrators http://support.microsoft.com/kb/555986
The good way to do this is by creating an OU structure so that you can delegate permissions and GPOs separately to different objects of AD. Please check this link for more info.
http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx
Technet has a best practices guide and several more write-ups as well.