smpvm
asked on
Minimum permission to reset passwords
Hello Expert,
I have a temporary person technician that comes in once in a while to do work for us.I want to assign him with the permission to to reset passwords of Active Directory users, All the users are in a OU called staff, I dont want him to reset passwords of users which are in other OU's Example ManagementUsers, ExecutiveUsers, VIPUsers and no other dangerous access rights.
I use windows 2008 Domain Controller.
This is what I've done so far...
1 - created a user account for the technician.
2 - On the "Staff" OU in Active Directory i right click and selected Delegation control wizard and Added that user into the delegate control.
3 - From the Delegate common tasks i selected only "reset password"
4- finish
I have tested the above configuration and it is not working,This is where I'm stuck... I want to know what else permissions i needed to assign to this user so he can reset passwords only on "Staff" OU and Absolutely no other permissions
Waiting for your support.
Thank you.
I have a temporary person technician that comes in once in a while to do work for us.I want to assign him with the permission to to reset passwords of Active Directory users, All the users are in a OU called staff, I dont want him to reset passwords of users which are in other OU's Example ManagementUsers, ExecutiveUsers, VIPUsers and no other dangerous access rights.
I use windows 2008 Domain Controller.
This is what I've done so far...
1 - created a user account for the technician.
2 - On the "Staff" OU in Active Directory i right click and selected Delegation control wizard and Added that user into the delegate control.
3 - From the Delegate common tasks i selected only "reset password"
4- finish
I have tested the above configuration and it is not working,This is where I'm stuck... I want to know what else permissions i needed to assign to this user so he can reset passwords only on "Staff" OU and Absolutely no other permissions
Waiting for your support.
Thank you.
This is enough to reset password for particular OU users. Please give some time to replicate the permission. i would say, now you check and let us know the result.
Your way is 100% correct and no additional permissions are required to reset user password (usually give plus force change password on next logon). Could you do a RSOP for this delegated user?
When you checked this login what extra permission do you have.
you just go by back tracking. remove that permissions.
Hope this will solve your problem.
you just go by back tracking. remove that permissions.
Hope this will solve your problem.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all, the permission is set correctly as per your advice.
Now the last part is to provide a solution which will help the "technician" to connect "Active Directory users and computers" console from his windows 7 Desktop, I don't want to give him RDP connection to the Domain Controller because i am afraid he may restart or shutdown the server by mistake.
Regards...
Now the last part is to provide a solution which will help the "technician" to connect "Active Directory users and computers" console from his windows 7 Desktop, I don't want to give him RDP connection to the Domain Controller because i am afraid he may restart or shutdown the server by mistake.
Regards...
Anyone, no matter what permissions, could use RSAT to connect to a DC.
ASKER
What is RSAT ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dear VBITS,
I successfully installed RSAT using the above link on the "technician" computer but i find a security issue, by mistake i installed the RSAT using another user say "user1" and i came to understand that from user1 profile i able to view the Active Directory users and computers Hierarchy in Read Only mode, which is a big security issue, Can you please suggest me how can i implement a counter measure from the domain controller so that everyone or authenticated normal users should not have the privilege to view Active Directory users and computers Hierarchy , DNS, DHCP, etc... all AD tools.
Please Help.
Regards....
I successfully installed RSAT using the above link on the "technician" computer but i find a security issue, by mistake i installed the RSAT using another user say "user1" and i came to understand that from user1 profile i able to view the Active Directory users and computers Hierarchy in Read Only mode, which is a big security issue, Can you please suggest me how can i implement a counter measure from the domain controller so that everyone or authenticated normal users should not have the privilege to view Active Directory users and computers Hierarchy , DNS, DHCP, etc... all AD tools.
Please Help.
Regards....
By default, with or without RSAT, any user may browse Active Directory. This is NOT a security issue.
ASKER
Hello McKnife,
Is it possible to prevent this default behavior ?
Regards
Is it possible to prevent this default behavior ?
Regards
Unfortunately there's no easy way to do this, as the read access to AD is by design. It's not exactly a security risk either as other LDAP browsers will be able to retrieve the data in AD with or without RSAT installed.
If you must, you can look at blocking use of all MMCs through Group Policy but again, this won't stop other programs from reading AD data in your organisation.
If you must, you can look at blocking use of all MMCs through Group Policy but again, this won't stop other programs from reading AD data in your organisation.
Every object in AD has an ACL, every user, computer, GPO,... so yes, we can block read access to those - if you know the consequences, go ahead.
ASKER
Thank you this solution is perfect
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for smpvm's comment #a40597741
Assisted answer: 125 points for VB ITS's comment #a40583484
Assisted answer: 125 points for zalazar's comment #a40583804
Assisted answer: 125 points for McKnife's comment #a40585717
Assisted answer: 125 points for VB ITS's comment #a40586032
for the following reason:
Good Solution
Accepted answer: 0 points for smpvm's comment #a40597741
Assisted answer: 125 points for VB ITS's comment #a40583484
Assisted answer: 125 points for zalazar's comment #a40583804
Assisted answer: 125 points for McKnife's comment #a40585717
Assisted answer: 125 points for VB ITS's comment #a40586032
for the following reason:
Good Solution
ASKER
Good Solution