Re: Delegation of Control

From: Ulf B. Simon-Weidner [MVP] (nospam2-ulf_at_usw-consulting.com)
Date: 10/27/04 

Date: Wed, 27 Oct 2004 19:46:05 +0000

"Ulf B. Simon-Weidner [MVP]" <nospam2-ulf@usw-consulting.com> wrote in
message news:nospam2-ulf@usw-consulting.com:
> "jv" <jv@discussions.microsoft.com> wrote in message
> news:jv@discussions.microsoft.com:
> > I just upgraded my test environment to w2k3 AD. Now I want to be able
> > to
> >
> > delegate control for my helpdesk and desktop team to be able to reset
> > passwords, unlock accounts, join computers to domain, remove computers
> > from
> > domain, and read access to view properties of accounts.
> >
> > What is best way to achieve this?
>
> Hello jv,
>
> The most tasks you outlined are in the delegation of control wizard,
> just click on the approbiate OU and choose "delegation" from the
> context menu.
>
> Everybody has read access, so you don't need to configure that. And
> they are able the change accounts they create. Reset passwords is
> provided in the delegation wizard, create and delete computer objects
> is provided.
>
> To unlock locked user accounts you have to delegate write rights on the
> "lockoutTime"-Attribute.
>

What I forgot:

Here's a explaination on the lockoutTime-Attribute:
http://www.windowsserverfaq.de/faq/ADQueries/lockoutTime.asp

And here a example how to set it with DSAcls:
http://www.windowsserverfaq.de/wiki/wikien.asp?db=Wiki&dbname=DefaultDb&o=ActiveDirectoryDelegation 

-- 
Gruesse - Sincerely,
Ulf B. Simon-Weidner
  MVP-Book "Windows XP - Die Expertentipps":  http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  WebSite: http://www.windowsserverfaq.org

Relevant Pages

  • Re: Active Directory Value Proposition
    ... Two or 3 computers? ... Central administration of accounts, permissions, and policy. ... What are the risks? ... > Would you recommend using Active Directory in a small-business setting? ...
    (microsoft.public.win2000.active_directory)
  • Re: ISA Monitor Shows Traffic from Computers that are powered off !
    ... on which we have ISA 2004 installed. ... Employees leave at 5:00pm and switch off their computers. ... Client computers should never have exposed ports. ... anymore since the trojan probably knows all of your accounts. ...
    (microsoft.public.isa)
  • Re: Script help
    ... A community college I used to teach night classes at (in southwest Kansas, ... I'm just glad that it wasn't my network to ... >> computers and how much routine maintenence you want to perform on them, ... >> shared on a server somewhere on campus, then yes, individual accounts are ...
    (microsoft.public.windows.server.scripting)
  • Re: Install new hardware for SBS 2003
    ... I think he prefers this way because the aren't many user accounts and mailboxes plus it would appear he is not worried about NTFS permissions. ... His original outline did not mention file permissions either way, nor did it mention that he was aware that he'd have to rejoin the computers to the domain. ... I don't think we are disagreeing here, but I did want to make sure that he was aware of the drawbacks to his plan. ... Other than simply copying the data over I will have to get the current Exchange mail over too. ...
    (microsoft.public.windows.server.sbs)
  • Re: Install new hardware for SBS 2003
    ... His original outline did not mention file permissions either way, nor did it mention that he was aware that he'd have to rejoin the computers to the domain. ... I don't think we are disagreeing here, but I did want to make sure that he was aware of the drawbacks to his plan. ... create new user accounts and computer accounts with the *exact* same names in AD, internally Windows does not use "names" to match accounts. ... Other than simply copying the data over I will have to get the current Exchange mail over too. ...
    (microsoft.public.windows.server.sbs)