• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 543
  • Last Modified:

Additional Admin account with limited permission

My manager hired 2 more admins and he requested me to create username and password for the new admin.
Then requested me to give them limited permissions on domain.

I am not sure how this can be done.
Is it possible?
if possible is it recommended?

Any advise highly appreciated.
0
MAS (MVE)
Asked:
MAS (MVE)
  • 3
  • 2
3 Solutions
 
Smith and AndersenCommented:
Use delegation in AD
You can delegate at the domain level or the OU level
0
 
MaheshArchitectCommented:
Check below posts to understand how you can perform \ provide delegated access to new admins to perform certain below tasks

User creation
Password reset
adding \ removing in groups
creation of new groups
add workstation to domain

http://kpytko.pl/2012/05/17/active-directory-rights-delegation-part-1/
http://kpytko.pl/2012/05/26/active-directory-rights-delegation-part-2/

Also you need to grant those admins "add workstation to domain" user rights in default domain policy GPO
Also you may add those admins to "Account Operators" group in active directory built-in container so that they can create new users in entire domain if you don't want them to restricted to particular OU and can perform operations such as adding \removing group membership, change attributes such as phone numbers designation etc
Please note that this privilege won't give them permissions to modify group membership of highly powered groups such as Domain admins and enterprise admins etc
So probably it is safe

You need to provide them Win7 \8 workstations with AD RSAT installed to perform there tasks or provide them remote desktop login on domain controller

Mahesh.
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
Now the problem is he cannot login to domain controller using remote desktop.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
MaheshArchitectCommented:
In order to logon to DC with RDP, You need to provide him allow logon through terminal (Remote Desktop) services rights in default domain controller policy
The option can be found under Default Domain Controller Policy\Computer Configuration\Windows Settings\Security Settings\local Policies\User rights assignment

Then you also need to add him to Remote Desktop Users group under built-in container in active directory

Once you done that run gpupdate /force command on DC and also run repadmin /syncall to replicate theses changes to all Domain controllers and then check if they are able to logon to DC with RDP

Mahesh.
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
I did as per the instruction above but still they cannot login to the server.
0
 
MAS (MVE)Technical Department HeadAuthor Commented:
Thanks to all
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now