How to restrict rights to only allow users to add or remove or modify user account and group setting

[T0GGLe]

Hi,

I want to restrict our helpdesk staff so that with their domain
accounts they only have the ability to add new users (and create
associated exchange mailbox-ie, the tickbox you get in user account
creation), remove users, change passwords, and change any other
setting that you get in a user account once it's been created
(telephone number for example). Also they should be able to change
group membership.

Now I can see that you can use "delegate control" within the
properties of the domain within "users and computers" but it's very
confusing. There are so many custom options that you can set for users
or groups with no explanation on any of them. I've been on win2k and
active directory training and there was no mention of any of this and
I can't find any suitable refrence material which explains all these
settings so that I can work it out for myself.

Or am i barking up the wrong tree?

Thx.

 

[Steven L Umbach]

Delegation is what you want to do. I suggest you do it at the Organizational
Unit level and you will then be able to delegate control over the OU instead
of the whole users container and it is easier to change back settings to
default if you do not use a built in container. Also when you do it at the
OU level you will have pre defined general levels of delegation that would
most commonly be used. Of course the users and groups that you would want
control delegated over would need to exist in the OU. If you do want to fine
tune delegation more then you would need to use advanced delegation by
selecting users, also select property specific and then select the
permissions you want to delegate. You can then do the same for groups. Be
sure to test your results before implementing. --- Steve

 

[Guest]

In addition to creating an OU is that, create a Security Group, all users to
this group, and delegate the tasks you want to this group...

 

[erectmember]

Thanks

I see now that the options that you get on the ou level differ fromt he
ones at the domain level and the standard ones fit well for this
purpose.
How do you view what delegation has been set on a particular OU then?
Can't seem to find that.

Have been on holiday for a while hence the lateness of this reply.

Also does anyone know where i can get explanations of what each custom
permission setting (under delegation) actually allow people to do?
There is no explation that i can find and one in English might be
slightly better than trying to work out from the attributes themselves
which appear to be written in Greek...
And no, it's not my regional settings )

 

[Roger Abell]

The GPMC (group policy management console) gives a somewhat
better view of delegations. However, once the delegation wizard
is closed, all that remains of your delegation actions is just so many
ACEs in the ACLs of the affected objects.
There is no interface that back-translates this to what actions you
have in the past taken with the delegation wizard.
For this reason I would highly recommend that you define custom
groups for the delegations, named for what they are used to delegate,
and delegate to these groups in which are the accounts that receive
the delegated capabilities. With a decent naming convention you
can then look at the existing groups and know what has been
delegate, and by memberships know to whom and adjust easily to
whom.
You could perhaps try reading in the resource kit, but the custom
permissions settings actually let you touch the ACL on just about
any AD object/attribute. As such, when you asked about good
explainations of what you see under the custom permissions area
you actually are pretty much asking for an outline of the schema of
the AD objects and their attributes.

 

[erectmember]

Right i see, thanks.