Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Additional Admin account with limited permission

Posted on 2014-04-02
6
Medium Priority
?
536 Views
Last Modified: 2014-05-15
My manager hired 2 more admins and he requested me to create username and password for the new admin.
Then requested me to give them limited permissions on domain.

I am not sure how this can be done.
Is it possible?
if possible is it recommended?

Any advise highly appreciated.
0
Comment
Question by:MAS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 6

Assisted Solution

by:smithandandersen
smithandandersen earned 400 total points
ID: 39972009
Use delegation in AD
You can delegate at the domain level or the OU level
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 1600 total points
ID: 39972066
Check below posts to understand how you can perform \ provide delegated access to new admins to perform certain below tasks

User creation
Password reset
adding \ removing in groups
creation of new groups
add workstation to domain

http://kpytko.pl/2012/05/17/active-directory-rights-delegation-part-1/
http://kpytko.pl/2012/05/26/active-directory-rights-delegation-part-2/

Also you need to grant those admins "add workstation to domain" user rights in default domain policy GPO
Also you may add those admins to "Account Operators" group in active directory built-in container so that they can create new users in entire domain if you don't want them to restricted to particular OU and can perform operations such as adding \removing group membership, change attributes such as phone numbers designation etc
Please note that this privilege won't give them permissions to modify group membership of highly powered groups such as Domain admins and enterprise admins etc
So probably it is safe

You need to provide them Win7 \8 workstations with AD RSAT installed to perform there tasks or provide them remote desktop login on domain controller

Mahesh.
0
 
LVL 27

Author Comment

by:MAS
ID: 39985205
Now the problem is he cannot login to domain controller using remote desktop.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 38

Assisted Solution

by:Mahesh
Mahesh earned 1600 total points
ID: 39985572
In order to logon to DC with RDP, You need to provide him allow logon through terminal (Remote Desktop) services rights in default domain controller policy
The option can be found under Default Domain Controller Policy\Computer Configuration\Windows Settings\Security Settings\local Policies\User rights assignment

Then you also need to add him to Remote Desktop Users group under built-in container in active directory

Once you done that run gpupdate /force command on DC and also run repadmin /syncall to replicate theses changes to all Domain controllers and then check if they are able to logon to DC with RDP

Mahesh.
0
 
LVL 27

Author Comment

by:MAS
ID: 40016972
I did as per the instruction above but still they cannot login to the server.
0
 
LVL 27

Author Closing Comment

by:MAS
ID: 40066570
Thanks to all
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question