Server 2008 - Granting explicit AD rights

B

Bionic

Expert Member
Joined
Nov 15, 2009
Messages
1,075
Reaction score
105
Location
Deep in the valley, Midrand
Hi All,

We have just encountered a problem on our AD and have revoked all IT staff rights.

At this moment I need to only deploy the following rights to them

They must be able to ..

1.Reset passwords
2.Unlock Accounts
3.Add pc's to domain
4.Move PCs to correct OU
5.Ability to restart server.

I don't want to grant them account or server operators since they are able to either create or modify directories or change user information.I have however granted delegation on the domain level for reset passwords .

Please help

Tx in advance.
 
1. Open AD Users & Computers.
2. Right-click your domain name and choose "Delegate Control".
3. You should have a group called ITStaff, but if not, create such an OU & add all your IT staff.
4. Select the ITStaff group, or whatever you called them, and choose what they can do, by ticking the blocks.
5. They can do all the stuff you've listed above, except to restart a server.
6. You can add your ITStaff group to the Print Operators group, they can shut down a server and login locally.
 
I have tried adding reset passwords role to the group but the users are still getting access denied when they performing those tasks.I have tried many articles and also forced replication ,still nothing .
 
vsingh said:
I have tried adding reset passwords role to the group but the users are still getting access denied when they performing those tasks.I have tried many articles and also forced replication ,still nothing .
Click to expand...

Have you logged the user off and back on?
 
vsingh said:
I have tried adding reset passwords role to the group but the users are still getting access denied when they performing those tasks.I have tried many articles and also forced replication ,still nothing .
Click to expand...

When access or delegation are not performing as expected, it might be because inheritance has been broken (the child is no longer inheriting permissions from its parent), or because the child object has an explicit permission that overrides the permissions of the parent.

*You mentioned something about the AD Directory Services being broken?
 
I have logged the user off and on...Is it a problem if im doing this at the root of the domain instead of OU level?Im doing this for them to have access to reset passwords to the entire domain.
 
kingrob said:
When access or delegation are not performing as expected, it might be because inheritance has been broken (the child is no longer inheriting permissions from its parent), or because the child object has an explicit permission that overrides the permissions of the parent.

*You mentioned something about the AD Directory Services being broken?
Click to expand...

Not broken....Somebody fiddled with the username of the CEO!
 
vsingh said:
Not broken....Somebody fiddled with the username of the CEO!
Click to expand...

Oh no. That is bad.

Now the CEO will have a vendetta against & distrust of all IT staff for the next 20 years. :(

Hopefully it wasn't an username that caused offence?
 
kingrob said:
Oh no. That is bad.

Now the CEO will have a vendetta against & distrust of all IT staff for the next 20 years. :(

Hopefully it wasn't an username that caused offence?
Click to expand...

Well he called since he couldnt log on and we found the problem and fixed it so he doesnt know.That is why there is a big risk for account or server operator rights.Tx for input so far
 
vsingh said:
Well he called since he couldnt log on and we found the problem and fixed it so he doesnt know.That is why there is a big risk for account or server operator rights.Tx for input so far
Click to expand...

Just be honest with your CEO.

Tell him it was a honest mistake and that it will not happen again.

Then have a meeting with your IT staff and tell them never to muck around with VIP usernames/accounts, but rather to ask you if something needs to be changed.

Then you can just rename the account and make sure the pre-windows 2000 username is ok.
 
Problem sorted.IT OU had explicit rights so i had to grant delegation specifically on the OU. I have now only allowed my staff to add computers to domain and move to correct OU,reset and unlock passwords and force password at next logon. Im still testing shutting down server but at least they part of the remote desktop role so they can get to the server.Thanks for all your help !
 
kingrob said:
1. Open AD Users & Computers.
2. Right-click your domain name and choose "Delegate Control".
3. You should have a group called ITStaff, but if not, create such an OU & add all your IT staff.
4. Select the ITStaff group, or whatever you called them, and choose what they can do, by ticking the blocks.
5. They can do all the stuff you've listed above, except to restart a server.
6. You can add your ITStaff group to the Print Operators group, they can shut down a server and login locally.
Click to expand...

^This, delegation of control is what you are looking for.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X