I have looked for similar posts to this but have found little information so hopefully somebody here can help. At my IT desk we are making some changes that will require us using level 1 workers to reset passwords and unlock accounts in Active Directory. I would really like to keep the level 1 team off of our 20 some servers that currently have Active Directory installed on them. I have seen at other jobs in the past that you can launch Active Directory from a batch file even though the program is not locally enabled for the user and depending on what Batch File is used, you can plug into different AD forests. Is anybody here aware of how to do this? I have given a more detailed description below. We have 4 admins who have access to all Windows Servers and we manage active directory by remotely logging into any one of the servers. With a recent policy change, we are expecting an influx of locked accounts and password reset requests making it so our level 1 and students will need to do a lot of the general work. The ideal situation would be that Student A is able to run a batch file from his work PC that will request a username/password and then provide him with the AD controls after successful login. This way he can see the same AD tool we use when we remotely log into the servers, without tying up our server or potentially shutting it down (God, I hope they would never do that). I have seen this before, but I am uncertain if some type of software was used to do this. Sorry if this is general knowledge, I admit I am fairly new to this field.

With regard to the management of Active Directory, it is not necessary (or recommended) to be logging into the Domain Controllers. Simply install the Admin tools on the "admins" workstations. For XP, you would install Adminpak.msi, and for Vista/7, its RSAT. Once you delegate the appropriate "level 1" permissions using the Delegation Wizard in Active Directory, have your level 1 team install the appropriate admin tool on their computers. That's it... Visit anITKB.com, an IT Knowledge Base.

Hello, there is no need for Batch file. To administer remotely AD domains, just use RSAT or admin Pack. For delegation of administration, this could be done via AD delegation: http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator

Hello, on the user workstation depending on the OS version use adminpak.msi(Windows XP and lower) or RSAT(Windows Vista and higher) There is and never was a need to logon to the DCs directly to manage AD. All required tasks can be delegated on OU level if needed. http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspxBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Softerra Adaxes will deal with your issue perfectly by means of Active Directory delegation and web interface customization capabilities. When you customize a web interface for each level of your users, they will be able to view and modify only permitted objects in Active Directory. And RBAC-based model of delegation will help grant users the appropriate rights and stop worrying about security. Here is documentation on how to delegate rights and modify web interface: http://adaxes.com/tutorials_DelegatingPermissions.htm http://adaxes.com/tutorials_WebInterfaceCustomization.htm Thanks.