Solved

Additional Admin account with limited permission

Posted on 2014-04-02
6
509 Views
Last Modified: 2014-05-15
My manager hired 2 more admins and he requested me to create username and password for the new admin.
Then requested me to give them limited permissions on domain.

I am not sure how this can be done.
Is it possible?
if possible is it recommended?

Any advise highly appreciated.
0
Comment
Question by:-MAS
  • 3
  • 2
6 Comments
 
LVL 6

Assisted Solution

by:smithandandersen
smithandandersen earned 100 total points
ID: 39972009
Use delegation in AD
You can delegate at the domain level or the OU level
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 400 total points
ID: 39972066
Check below posts to understand how you can perform \ provide delegated access to new admins to perform certain below tasks

User creation
Password reset
adding \ removing in groups
creation of new groups
add workstation to domain

http://kpytko.pl/2012/05/17/active-directory-rights-delegation-part-1/
http://kpytko.pl/2012/05/26/active-directory-rights-delegation-part-2/

Also you need to grant those admins "add workstation to domain" user rights in default domain policy GPO
Also you may add those admins to "Account Operators" group in active directory built-in container so that they can create new users in entire domain if you don't want them to restricted to particular OU and can perform operations such as adding \removing group membership, change attributes such as phone numbers designation etc
Please note that this privilege won't give them permissions to modify group membership of highly powered groups such as Domain admins and enterprise admins etc
So probably it is safe

You need to provide them Win7 \8 workstations with AD RSAT installed to perform there tasks or provide them remote desktop login on domain controller

Mahesh.
0
 
LVL 24

Author Comment

by:-MAS
ID: 39985205
Now the problem is he cannot login to domain controller using remote desktop.
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 400 total points
ID: 39985572
In order to logon to DC with RDP, You need to provide him allow logon through terminal (Remote Desktop) services rights in default domain controller policy
The option can be found under Default Domain Controller Policy\Computer Configuration\Windows Settings\Security Settings\local Policies\User rights assignment

Then you also need to add him to Remote Desktop Users group under built-in container in active directory

Once you done that run gpupdate /force command on DC and also run repadmin /syncall to replicate theses changes to all Domain controllers and then check if they are able to logon to DC with RDP

Mahesh.
0
 
LVL 24

Author Comment

by:-MAS
ID: 40016972
I did as per the instruction above but still they cannot login to the server.
0
 
LVL 24

Author Closing Comment

by:-MAS
ID: 40066570
Thanks to all
0

Join & Write a Comment

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now