locked
Active Directory Security for Helpdesk RRS feed

  • Question

  • User-1248015017 posted

    Hey all, I'm wanting to delegate some basic AD functions to my Helpdesk users. What would be the best way to go about and do this? I've messed with delegating control in the past and never had much luck. Is there a better/easier way of doing this?

    Basically I want to configure a small group of users to have access to unlock/reset passwords. Any help would be appreciated. Thanks.

     

    Thursday, April 9, 2009 12:07 AM

All replies

  • User1191518856 posted

    Delegating of control was originally invented for this kind of issues. Can it be simpler? :)

    Preferrably, you put the helpdesk users in a group. Using Active Directory Users & Computers, you right-click the to OU which you want to assign this right and choose Delegate control.

    The only problem as I see it is that it is not easy to get an overview of how the delegation is set up. It may become messy if you have complex relations. Given a user, you cant trace it backwards and see *where* this user has control - at least not by using a native tool.

    But the other way around is possible, if you check the Security tab in the properties screen for an OU. There you will see which users/groups do have rights to modify things in this OU.

    Monday, April 13, 2009 5:50 PM