Active Directory Delegation

By netadminstudent ·
We are trying to delegate certian tasks to our helpdesk team through AD.

We would like them to be able to reset passwords,unlock accounts, and enable/disable accounts.

I have the password reset and unlock accounts figured out. The delemia is two part though.

First we would like to find a way to disable the "Email:" setting on the general properties page. I have tried to set "Read/Write Email Address (Other)" with no luck (yes I did test to make sure it wouldn't just error out when they attempted to apply changes).

And secondly we would like to give them the ability to enable/disable accounts for one of our OU's. I know the user account control permission can do that but it all so gives them to ability to to edit other things we'd rather not have them do. (give user ability to change password, and set expiring passwords)

Also on a quick side note, I would like for them to only see the object we give them permission to edit when they open AD. The best I have come up with for this is to edit the security on each OU to deny list rights. This allows them to still see the OU's but as far as they are concerned it might as well be empty. If anyone has a better solution to that let me know.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

you delegate to OU using the wizard

by CG IT In reply to Active Directory Delegati ...

If you use the delegate wizard, you will be able to delegate only those administrative tasks you want them to perform.

The real question is what tools are you using to delegate control and then allow them to perform administrative functions for their OU?

The Windows admin tools?

Collapse -

Still working on it

by netadminstudent In reply to you delegate to OU using ...

They are using the Active Directory Users and Computers administrative tool that a normal sys admin would use (so far we are just dealing with the helpdesk specailist to test and see if it's what we want.

As far as the wizard goes I have used it and know what you mean I was just wondering if their is a way to do the little tweaks I mentioned. I didn't see them in the wizard, or even when I manually edited the OU security.

I'm only interning here so don't have much say in software purchases and that stuff. This was just something I suggested they try so the SA isn't the one unlocking accounts (it's a school district of about 5000 students so he was spending almost more time doing that then anything else which seemed like a waste)

Do you have any suggestion for cheap programs that might be easier for the help desk to interface with AD. Right now that are happy just to be able to unlock the accounts, but I would like it if they couldn't even see the other OU's and if the could enable/disable accounts without having to granting them the "useraccountcontrol" right.

Related Discussions

Related Forums