Link to home
Start Free TrialLog in
Avatar of jskfan
jskfanFlag for Cyprus

asked on

Delegate help desk To unlock AD Accounts:

Delegate help desk To unlock AD Accounts:

I need to delegate Helpdesk to unlock AD account for users that have higher privileges than the Desktop users who have only Domain users privileges.

I believe this can be done through AD Delegation

Any step by step with screenshots will be vey much helpful.

Thanks
SOLUTION
Avatar of Joseph Moody
Joseph Moody
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jskfan
jskfan
Flag of Cyprus image

ASKER

when you apply the delegation at OU level, it should apply to only that OU...Correct?
but how do I verify that the Delegation was applied to only that OU...
and confirm that user group  I gave permissions to unlock account at OU1 is not able to do the same at OU2 level ?

Thanks
Avatar of jskfan
jskfan
Flag of Cyprus image

ASKER

I found out checking the security tab of an OU will show if the user group I gave permission is there or not... disregard my last comment....
Avatar of jskfan
jskfan
Flag of Cyprus image

ASKER

however if I open up properties of user group I gave permissions and click Advanced then select the group click Edit , next to Apply to : Descendant User objects.
it does not tell you to which OU is applied to ....
SOLUTION
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jskfan
jskfan
Flag of Cyprus image

ASKER

But how do you audit the user group to which object has permissions?
when I go back to the user group  I created and gave it Delegation, I can not tell to which OU it has delegation....

Until , I go to the OU then I see the user group there under Security tab,
ASKER CERTIFIED SOLUTION
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jskfan
jskfan
Flag of Cyprus image

ASKER

mmmm...

I realized the Delegated security group cannot unlock domain admins account..
SOLUTION
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jskfan
jskfan
Flag of Cyprus image

ASKER

http://windowsitpro.com/security/q-how-can-i-delegate-right-unlock-locked-active-directory-ad-user-accounts

followed steps 1 to 9
but I could not get a domain user to unlock account of a Domain Admins user
Avatar of jskfan
jskfan
Flag of Cyprus image

ASKER

Thanks