Re: How to set permissions to allow user to edit AD
From: Mark Mulvany MCT (mark_at_nospam.com)
Date: 10/23/04
- Next message: David Copeland [MSFT]: "Re: SBS2003 Sysprepped Domain Name Troubles"
- Previous message: Mark Mulvany MCT: "Re: SBS on Virtual PC?"
- In reply to: Diane: "How to set permissions to allow user to edit AD"
- Next in thread: Diane: "Re: How to set permissions to allow user to edit AD"
- Reply: Diane: "Re: How to set permissions to allow user to edit AD"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 23 Oct 2004 01:25:34 +0100
Diane,
You are in the right place, this group focuses on SBS 2003.
Anyway easiest way to allow a user to have limited accesss to AD would be
for you to run Active Directory Users and Computers from programs
Administrative Tools.
Drill down to the Container which holds the accounts you want the user to
manage for example MyBusiness/Users/SBSUsers is the default location of your
users in SBS 2003.
First option is the delegate control wizard which will allow you to specify
the username you wish to give control to manage user accounts and change
passwords.
If you step through the wizard you'll see what I mean.
Finally you then have 2 options to give the user the tools needed to do the
job.
1) Allow the user to use Active Directory Users and Computers probably not a
good idea.
2) Create a custom taskpad.
a) Start run mmc (Gives you an empty console)
b) Add the snapin for AD users and computers
c) Drill down to the container you delegated control to
earlier - Right Click and select the Custom Taskpad option in order to
create a custom interface with the tasks you want to give the user.
A couple of cavets, if you want a user to perform these tasks from their
workstation you will need to install the Adminpak.msi from the SBS2003 CD
(Or download from Microsoft)
Secondly make sure to save the console and again you will need to copy this
or email to the users workstation.
If you experiment with the MMC you will see that you customize how it looks
by changing the view options so that the user only sees the container you
intend.
Even if you allow the user to use the full Active Directory Users and
computers, they will not have any permissions to modify any objects outside
the container you delegated permissions to.
Make sure you test this yourself first as you want to make sure the user
only has the permissions you intended.
Also there is no need to add the user to any additional groups.
Hope this helps
Regards Mark (The Irish MCT)
Mark Mulvany MCT,MCSE,MCSE+I,CNA,INET+
"Diane" <Diane@discussions.microsoft.com> wrote in message
news:E4ABEA00-636C-4793-9526-11811E713E5C@microsoft.com...
> Hi - I can't find an SBS2003 group, so I'd appreciate any help this forum
> can provide.
> I've got SBS2003 installed and want to give a user permissions to log on
to
> the server using his own account and then be able to update AD (add users,
> change passwords, etc.) but no more. Can someone please advise on how to
set
> proper permissions on the user account to enable this? I have not worked
> with group policy etc., so if this is the path to take, please give as
much
> detail as is reasonable.
>
> Thanks very much for all your help,
>
> Diane
>
> BTW - is there a 2003 forum??
>
>
>
- Next message: David Copeland [MSFT]: "Re: SBS2003 Sysprepped Domain Name Troubles"
- Previous message: Mark Mulvany MCT: "Re: SBS on Virtual PC?"
- In reply to: Diane: "How to set permissions to allow user to edit AD"
- Next in thread: Diane: "Re: How to set permissions to allow user to edit AD"
- Reply: Diane: "Re: How to set permissions to allow user to edit AD"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
