Delegation of roles within Active Directory
Ok, as brief as I can (without confusing myself in the process) I have followed/applied this walkthrough ( ) to our brand new Active Directory structure at work. We have just upgraded from NT4. 0 to W2k Server and XP clients.
Ok, as brief as I can (without confusing myself in the process)
I have followed/applied this walkthrough ( http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/delegsteps.asp) to our brand new Active Directory structure at work. We have just upgraded from NT4.0 to W2k Server and XP clients.
The problem is the resetting of passwords, which we delegate to our operations staff (helpdesk). They can 'reset' a password, but that is all they can do. For instance, they also need to unlock a locked out account, and they also need access to a terminal connection at our servers 'mstsc' (Remote desktop connection). I have made them Print Operators, and Server Operators, but they just don't have the priviledges needed.
Anyone care to guide me in the right direction?
Cheers
I have followed/applied this walkthrough ( http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/delegsteps.asp) to our brand new Active Directory structure at work. We have just upgraded from NT4.0 to W2k Server and XP clients.
The problem is the resetting of passwords, which we delegate to our operations staff (helpdesk). They can 'reset' a password, but that is all they can do. For instance, they also need to unlock a locked out account, and they also need access to a terminal connection at our servers 'mstsc' (Remote desktop connection). I have made them Print Operators, and Server Operators, but they just don't have the priviledges needed.
Anyone care to guide me in the right direction?
Cheers
Participate on our website and join the conversation
This topic is archived. New comments cannot be posted and votes cannot be cast.
Responses to this topic
This article shows how to do it with the OU Delegate Control wizard:
http://support.microsoft.com/default.aspx?scid=kb;en-us;294952
This article shows how to do it from the command line and with ADSIEdit:
http://support.microsoft.com/default.aspx?scid=kb;en-us;279723
As for logging on to the servers, are they Domain Controllers? If so, by default you can only logon as a domain admin via the default Domain Controller policy (and with good reason). Most places will not allow help desk personnel to work with domain controllers unless they are already admins (and thus, able to logon anyway).
http://support.microsoft.com/default.aspx?scid=kb;en-us;294952
This article shows how to do it from the command line and with ADSIEdit:
http://support.microsoft.com/default.aspx?scid=kb;en-us;279723
As for logging on to the servers, are they Domain Controllers? If so, by default you can only logon as a domain admin via the default Domain Controller policy (and with good reason). Most places will not allow help desk personnel to work with domain controllers unless they are already admins (and thus, able to logon anyway).
Nice one Clutch, much appreciated for the Unlock user.
Regarding the Server login and Domain Admins Roles, well, it's a bit of a toughie, but it's going to be up to someone else to give them that right. I will just argue the case against it (security, messing up Active Directory etc). <--Sorry if this sounds confusing but it's a long story.
Cheers
Regarding the Server login and Domain Admins Roles, well, it's a bit of a toughie, but it's going to be up to someone else to give them that right. I will just argue the case against it (security, messing up Active Directory etc). <--Sorry if this sounds confusing but it's a long story.
Cheers
Originally posted by yakkob:
Quote:Nice one Clutch, much appreciated for the Unlock user.Regarding the Server login and Domain Admins Roles, well, it's a bit of a toughie, but it's going to be up to someone else to give them that right. I will just argue the case against it (security, messing up Active Directory etc). <--Sorry if this sounds confusing but it's a long story.
Cheers
Been there, done that. I have been in situations where I needed a DC to host an FTP site, and I had to grant the logon locally right to an FTP users group in order to them to use FTP in IIS. There are times when this comes up, and that's why the settings are there. Just remember that it is a *REALLY* bad idea to do this.
Quote:Nice one Clutch, much appreciated for the Unlock user.Regarding the Server login and Domain Admins Roles, well, it's a bit of a toughie, but it's going to be up to someone else to give them that right. I will just argue the case against it (security, messing up Active Directory etc). <--Sorry if this sounds confusing but it's a long story.
Cheers
Been there, done that. I have been in situations where I needed a DC to host an FTP site, and I had to grant the logon locally right to an FTP users group in order to them to use FTP in IIS. There are times when this comes up, and that's why the settings are there. Just remember that it is a *REALLY* bad idea to do this.
