yakkob 0 Posted March 17, 2004 Ok, as brief as I can (without confusing myself in the process) I have followed/applied this walkthrough (http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/delegsteps.asp) to our brand new Active Directory structure at work. We have just upgraded from NT4.0 to W2k Server and XP clients. The problem is the resetting of passwords, which we delegate to our operations staff (helpdesk). They can 'reset' a password, but that is all they can do. For instance, they also need to unlock a locked out account, and they also need access to a terminal connection at our servers 'mstsc' (Remote desktop connection). I have made them Print Operators, and Server Operators, but they just don't have the priviledges needed. Anyone care to guide me in the right direction? Cheers Share this post Link to post
clutch 1 Posted March 20, 2004 This article shows how to do it with the OU Delegate Control wizard: http://support.microsoft.com/default.aspx?scid=kb;en-us;294952 This article shows how to do it from the command line and with ADSIEdit: http://support.microsoft.com/default.aspx?scid=kb;en-us;279723 As for logging on to the servers, are they Domain Controllers? If so, by default you can only logon as a domain admin via the default Domain Controller policy (and with good reason). Most places will not allow help desk personnel to work with domain controllers unless they are already admins (and thus, able to logon anyway). Share this post Link to post
yakkob 0 Posted March 22, 2004 Nice one Clutch, much appreciated for the Unlock user. Regarding the Server login and Domain Admins Roles, well, it's a bit of a toughie, but it's going to be up to someone else to give them that right. I will just argue the case against it (security, messing up Active Directory etc). <--Sorry if this sounds confusing but it's a long story. Cheers Share this post Link to post
clutch 1 Posted March 23, 2004 Originally posted by yakkob: Quote: Nice one Clutch, much appreciated for the Unlock user. Regarding the Server login and Domain Admins Roles, well, it's a bit of a toughie, but it's going to be up to someone else to give them that right. I will just argue the case against it (security, messing up Active Directory etc). <--Sorry if this sounds confusing but it's a long story. Cheers Been there, done that. I have been in situations where I needed a DC to host an FTP site, and I had to grant the logon locally right to an FTP users group in order to them to use FTP in IIS. There are times when this comes up, and that's why the settings are there. Just remember that it is a *REALLY* bad idea to do this. Share this post Link to post
