Solved

Additional Admin account with limited permission

Posted on 2014-04-02
6
527 Views
Last Modified: 2014-05-15
My manager hired 2 more admins and he requested me to create username and password for the new admin.
Then requested me to give them limited permissions on domain.

I am not sure how this can be done.
Is it possible?
if possible is it recommended?

Any advise highly appreciated.
0
Comment
Question by:-MAS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 6

Assisted Solution

by:smithandandersen
smithandandersen earned 100 total points
ID: 39972009
Use delegation in AD
You can delegate at the domain level or the OU level
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 400 total points
ID: 39972066
Check below posts to understand how you can perform \ provide delegated access to new admins to perform certain below tasks

User creation
Password reset
adding \ removing in groups
creation of new groups
add workstation to domain

http://kpytko.pl/2012/05/17/active-directory-rights-delegation-part-1/
http://kpytko.pl/2012/05/26/active-directory-rights-delegation-part-2/

Also you need to grant those admins "add workstation to domain" user rights in default domain policy GPO
Also you may add those admins to "Account Operators" group in active directory built-in container so that they can create new users in entire domain if you don't want them to restricted to particular OU and can perform operations such as adding \removing group membership, change attributes such as phone numbers designation etc
Please note that this privilege won't give them permissions to modify group membership of highly powered groups such as Domain admins and enterprise admins etc
So probably it is safe

You need to provide them Win7 \8 workstations with AD RSAT installed to perform there tasks or provide them remote desktop login on domain controller

Mahesh.
0
 
LVL 26

Author Comment

by:-MAS
ID: 39985205
Now the problem is he cannot login to domain controller using remote desktop.
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 400 total points
ID: 39985572
In order to logon to DC with RDP, You need to provide him allow logon through terminal (Remote Desktop) services rights in default domain controller policy
The option can be found under Default Domain Controller Policy\Computer Configuration\Windows Settings\Security Settings\local Policies\User rights assignment

Then you also need to add him to Remote Desktop Users group under built-in container in active directory

Once you done that run gpupdate /force command on DC and also run repadmin /syncall to replicate theses changes to all Domain controllers and then check if they are able to logon to DC with RDP

Mahesh.
0
 
LVL 26

Author Comment

by:-MAS
ID: 40016972
I did as per the instruction above but still they cannot login to the server.
0
 
LVL 26

Author Closing Comment

by:-MAS
ID: 40066570
Thanks to all
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question