Active Directory Admin - In here please!

The_KiD

The_KiD

The_KiD

Permabanned
Joined
19 Apr 2006
Posts
2,333
Location
West Yorkshire
We are going to be getting a new member of IT staff and I want them to be a general IT admin type person.

One of the roles I want them to have is the creation of new AD users, but I dont want them to have full admin access to the domain.

So is it it possible to give them a login that has access to create new user ID's but is not an "access all areas" type login?
 

greeny_fastcar

greeny_fastcar

greeny_fastcar

Associate
Joined
29 Dec 2003
Posts
1,252
Location
Denton
Firstly, I'm one of them new admin type folk, and I have to say this, having a half arsed account is aload of rubbish, do it properly or don't do it at all. :p

But answering your question, well trying, I think there are certain groups you can add the users account to, i.e security groups, that allow the user to create/edit/manage objects within AD.

But its something I can't get access to, to check out for you. Sorry.
 

BengalBoy

BengalBoy

BengalBoy

Associate
Joined
1 Apr 2004
Posts
225
Location
Wales
Im assuming you would have to first create an AD Security Group and give the restricted access rights to that, and then make him a member of Security Group. I could be wrong but from my experience this is how i would go about it.
 

themistry

themistry

themistry

Associate
Joined
15 Jun 2006
Posts
575
The_KiD said:
ah never actually played with that delegation thing before, but it does look like what I need :)

Now to actually figuring it out...
Click to expand...


YES! My MCSE training course came in use :p I think this is the first time haha

TM
 

mr.bond

mr.bond

mr.bond

Associate
Joined
16 Jan 2006
Posts
655
Location
Surrey
It's quite straightforward (for basic admin tasks). Delegate control at either the domain or OU level to a security group (as mentioned earlier) and add whatever users to that group. For delegated tasks you can't see using the wizard, drill down into advanced permission manualy and have a good look at what else you can do, you'd be surprised.

Also, test this first thoroughly with a test security group and test user account. Remember that there is no 'un-delegate control wizard'. Any changes you make will have to be reversed manually.
 
You must log in or register to reply here.
Back
Top Bottom