Help Desk Group - Delegating Rights and allowing access

Hi,

I followed the steps in another thread (https://social.technet.microsoft.com/Forums/en-US/f1846ea7-31fc-4d38-8950-ef7d86f3cefb/need-to-create-help-desk-users-to-unlock-andor-change-passwords?forum=winserverDS) on delegating rights to a "help desk group" to allow this new group to do limited things in AD (create accounts, reset passwords etc).  I applied this to the OU where most of our users objects belong.

Having done that, how do I give the help desk person access to the appropriate programs (users and computers for instance) so they can make these changes?  Do they log in as themselves to a domain controller to fire up "users and computers"?  Or can they still do too much on a DC?  (I only want them to be able to a) create users b) reset pwd c) add a computer to the domain).

Or can you somehow install some sort of snapin on their local PC to allow them access to users and computers?

I added them as a remote user to the domain controller but they still could not log in.

Thanks,

Albert

August 20th, 2015 5:42pm

Hi,

If Help desk user want to access to Snap-In they have to install RSAT tool on there machine if they are using the Windows 7.0 and above. From there you can connect to ADUC as given below.

https://www.microsoft.com/en-in/download/details.aspx?id=7887

Free Windows Admin Tool Kit Click here and download it now
August 21st, 2015 12:27am

Hi Albert M Gostick,

Thanks for your post.

Besides, you could also use remote desktop to connect to the Domain Controller to use Active Directory User and Computer

But it only allowed two remote connections (+1 console connection) for purposes of maintaining the server.To go beyond that you need to set up Remote Desktop Services and Remote Desktop Licensing.

https://technet.microsoft.com/en-us/library/Cc727977%28v=WS.10%29.aspx?f=255&MSPPError=-2147217396

Best Regards,

Mary Dong

August 21st, 2015 3:59am

Hi,

If Help desk user want to access to Snap-In they have to install RSAT tool on there machine if they are using the Windows 7.0 and above. From there you can connect to ADUC as given below.

https://www.microsoft.com/en-in/download/details.aspx?id=7887


I looked at that link at it appears that the usage is quite "narrow".  That is, I have a Win 7 PC and that seems to only support connecting to a domain controller (DC) that is W2008 or W2008R2 - but this domain has all W2012 servers.   Is it this strict?  So it seems I would need to upgrade the PC to Win 8 to install that version - and it only manages W2012 servers (not W2012R2).  Is this correct?
Free Windows Admin Tool Kit Click here and download it now
August 21st, 2015 12:41pm

Hi Albert M Gostick,

Thanks for your post.

Besides, you could also use remote desktop to connect to the Domain Controller to use Active Directory User and Computer

But it only allowed two remote connections (+1 console connection) for purposes of maintaining the server.To go beyond that you need to set up Remote Desktop Services and Remote Desktop Licensing.

Best Regards,

Mary

August 21st, 2015 12:42pm

In regards to delegation design, if you have your users in one OU and computer objects in another OU then run the delegation wizard on each OU for each task, keeping the defaults normally works for most but if you want to really lock it down you can create custom delegation settings...

An example is, if you want to create a group to just allow them the ability to set/ reset passwords, unlock accounts, disable them, and set the expire date on the accounts you would create a custom delegation for "user objects" and add the following permission settings:

Read

Read all properties

Change password

Reset password

Write pwdLastSet

Write accountExpires

Read lockouttime

Write lockouttime

Write userAccountControl

Free Windows Admin Tool Kit Click here and download it now
August 21st, 2015 1:51pm

You can allow them access your Windows 7 PC for the administration. Of course, RSAT needs to be installed and they can use dsa.msc for the administration.

In enterprise environments, it might be easier to have a Remote Desktop Server where you install all the tools you want your Service Desk to use for administration.

As for how you can proceed with the delegation, you can read what I shared here:  http://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx

My favorite option is to use Powershell scripts as you can customize them the way you want and you can get notified of actions your service desk does.

Apart of the delegation, you might also want to track the changes in your AD or have a self service portal for your end users. There are third party tools to do that and the following are one of them:

Lepide Auditor - Active Directoryhttp://www.lepide.com/lepideauditor/active-directory.html

Lepide Active Directory Self Service: http://www.lepide.com/active-directory-self-service/

August 22nd, 2015 5:06pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics