Solved

Additional Admin account with limited permission

Posted on 2014-04-02
6
523 Views
Last Modified: 2014-05-15
My manager hired 2 more admins and he requested me to create username and password for the new admin.
Then requested me to give them limited permissions on domain.

I am not sure how this can be done.
Is it possible?
if possible is it recommended?

Any advise highly appreciated.
0
Comment
Question by:-MAS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 6

Assisted Solution

by:smithandandersen
smithandandersen earned 100 total points
ID: 39972009
Use delegation in AD
You can delegate at the domain level or the OU level
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 400 total points
ID: 39972066
Check below posts to understand how you can perform \ provide delegated access to new admins to perform certain below tasks

User creation
Password reset
adding \ removing in groups
creation of new groups
add workstation to domain

http://kpytko.pl/2012/05/17/active-directory-rights-delegation-part-1/
http://kpytko.pl/2012/05/26/active-directory-rights-delegation-part-2/

Also you need to grant those admins "add workstation to domain" user rights in default domain policy GPO
Also you may add those admins to "Account Operators" group in active directory built-in container so that they can create new users in entire domain if you don't want them to restricted to particular OU and can perform operations such as adding \removing group membership, change attributes such as phone numbers designation etc
Please note that this privilege won't give them permissions to modify group membership of highly powered groups such as Domain admins and enterprise admins etc
So probably it is safe

You need to provide them Win7 \8 workstations with AD RSAT installed to perform there tasks or provide them remote desktop login on domain controller

Mahesh.
0
 
LVL 25

Author Comment

by:-MAS
ID: 39985205
Now the problem is he cannot login to domain controller using remote desktop.
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 400 total points
ID: 39985572
In order to logon to DC with RDP, You need to provide him allow logon through terminal (Remote Desktop) services rights in default domain controller policy
The option can be found under Default Domain Controller Policy\Computer Configuration\Windows Settings\Security Settings\local Policies\User rights assignment

Then you also need to add him to Remote Desktop Users group under built-in container in active directory

Once you done that run gpupdate /force command on DC and also run repadmin /syncall to replicate theses changes to all Domain controllers and then check if they are able to logon to DC with RDP

Mahesh.
0
 
LVL 25

Author Comment

by:-MAS
ID: 40016972
I did as per the instruction above but still they cannot login to the server.
0
 
LVL 25

Author Closing Comment

by:-MAS
ID: 40066570
Thanks to all
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question