Solved

Delegate help desk To unlock AD Accounts:

Posted on 2014-01-13
12
1,614 Views
Last Modified: 2014-01-13
Delegate help desk To unlock AD Accounts:

I need to delegate Helpdesk to unlock AD account for users that have higher privileges than the Desktop users who have only Domain users privileges.

I believe this can be done through AD Delegation

Any step by step with screenshots will be vey much helpful.

Thanks
0
Comment
Question by:jskfan
  • 7
  • 4
12 Comments
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 100 total points
ID: 39777352
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 400 total points
ID: 39777353
Yes you are correct. You can accomplish this using the delegation of Control Wizard.

The following link illustrates exactly how to do this providing screenshots.

Reset Password Delegation of Control Wizard.
http://community.spiceworks.com/how_to/show/1464-how-to-delegate-password-reset-permissions-for-your-it-staff

Will.
0
 

Author Comment

by:jskfan
ID: 39778051
when you apply the delegation at OU level, it should apply to only that OU...Correct?
but how do I verify that the Delegation was applied to only that OU...
and confirm that user group  I gave permissions to unlock account at OU1 is not able to do the same at OU2 level ?

Thanks
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:jskfan
ID: 39778054
I found out checking the security tab of an OU will show if the user group I gave permission is there or not... disregard my last comment....
0
 

Author Comment

by:jskfan
ID: 39778060
however if I open up properties of user group I gave permissions and click Advanced then select the group click Edit , next to Apply to : Descendant User objects.
it does not tell you to which OU is applied to ....
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 400 total points
ID: 39778073
Not it does not. If you compare the OU's, that that has delegated control and another that does not you will see on the Advance>Security that the permissions are different.

If you apply the permissions to a top level OU all OU's underneath the will inherite the permission by default. You can however go into Advance Security and remove the Inheritance (not sure why you would want to) but you can.

The only way you can delegate permissions which will affect all top level OU's is applying the same Delegate of Control to the domain (i do not recommend this).

For testing when a user tries to modify AD object that are not in an OU where permission was delegated it will appear as if they can make the chagne but as soon as they try and apply the change it will give then an Access Denied error.


Will.
0
 

Author Comment

by:jskfan
ID: 39778121
But how do you audit the user group to which object has permissions?
when I go back to the user group  I created and gave it Delegation, I can not tell to which OU it has delegation....

Until , I go to the OU then I see the user group there under Security tab,
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 400 total points
ID: 39778156
In Active Directory there are no native tools to accomplish this. You will need to purchase 3rd party tools which will allow you to accomplish what your looking for. My personal advice is if you are not looking to purchase additonal software you can use the Description Field for the group and specify the OU's that it has been setup for delegation.

Some of the big providers for AD Tools would be Manage Engine and Quest Software (Dell).

Manage Engine AD Manager - http://www.manageengine.com/products/ad-manager/index.html?ADMPID=50006&kw=active+directory&adId=7780351362

Will.
0
 

Author Comment

by:jskfan
ID: 39778222
mmmm...

I realized the Delegated security group cannot unlock domain admins account..
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 400 total points
ID: 39778267
Not sure exactly what your askiing...

Will.
0
 

Author Comment

by:jskfan
ID: 39778282
http://windowsitpro.com/security/q-how-can-i-delegate-right-unlock-locked-active-directory-ad-user-accounts

followed steps 1 to 9
but I could not get a domain user to unlock account of a Domain Admins user
0
 

Author Closing Comment

by:jskfan
ID: 39778347
Thanks
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question