Custom rights

[Guest]

Hi!

I need your help to determine what kind of permissions I need to give for a Network
Technician on the domain:

-Can log on the server
-Can add computers in a domain
-Can create a users and add to a specific groups
-Can reset password
-Cannot delete users
-Cannot install applications

This is what a need. I don't want to give user's total access(just the list higher) but enough to allow him to do his normal job.

I know the custom permissions for a user, but anybody have a kind a recipe for what I need? If anybody use this kind of user in his network tell me what you do for this kind of user!

Thanks

Ans.:


Look into AD delegation, though you may need to do some custom delegation. You can
modify the user right to logon locally to allow a user to logon to a computer and you
can give a user the right to create computer objects in the domain or OU which would
take care of the first two.

Create a test OU and then select properties delegation to start the delegation wizard
to see what the "built in" rights are including resetting passwords and modifying
group membership and for the rest you will have to experiment with such as the
ability to create a user but not delete one would need to be a custom delegation for
creating user objects. The links below may help. --- Steve

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/526.asp

--- refer to the last paragraph
http://support.microsoft.com/default.aspx?scid=kb;en-us;294952
-- example of custom delegation.

 

[Steven L Umbach]

OK. Try this.

By default any user can log onto a server other than domain controller. To
allow then to logon to a domain controller give them the logon locally user
right in Domain Controller Security Policy. Note the user possibly could
manage what he needs from another computer through mmc snapins.

To add computers to the domain go to AD Users and Computers. Select view
advanced features. Then select the domain, right click and select delegate
control. The wizard will start. Add your user/group and select add computers
to the domain.

To add users to the domain go to the domain
container/properties/security/advanced/add - select your group/select
"create user objects" and apply. This allows them to create but not delete
users.

To add users to a specific groups. In the properties of the groups go to
security/advanced/add - select your group/select properties at the top
[instead of object]/select "write members" and apply. Of course this will
not work on privileged groups such as administrators.

To reset password for non privileged user accounts. Go to
domain/properties/security/advanced/add - select your users group/select
"apply onto:" user objects/select reset password and apply. By default
priviliged accounts do not inherit permissions to exempt them from
delegation. If you have a user in a priviliged group and you remove that
user, you will have to manually configure permissions on that user object or
select "allow inheritable permissions to propagate from parent".

The above should allow a regular user account in the domain to do what you
want. A regular user can not install most software. Personally I would not
want any regular user to logon to a domain controller but instead they can
use mmc snapins to mange what they need which will prevent them from having
access and installing anyhting on the domain controller. I would also
suggest you consider giving the user/group those powers [except add
computers to the domain] to an Organizational Unit instead and moving the
groups and users into the OU that you want them to manage. --- Steve

Hi!

I need your help to determine what kind of permissions I need to give for a Network
Technician on the domain:

-Can log on the server
-Can add computers in a domain
-Can create a users and add to a specific groups
-Can reset password
-Cannot delete users
-Cannot install applications

This is what a need. I don't want to give user's total access(just the

list higher) but enough to allow him to do his normal job.

I know the custom permissions for a user, but anybody have a kind a recipe

for what I need? If anybody use this kind of user in his network tell me
what you do for this kind of user!

 

[Guest]

Thank you Steven!

This is what I need!

OK. Try this.

By default any user can log onto a server other than domain controller. To
allow then to logon to a domain controller give them the logon locally user
right in Domain Controller Security Policy. Note the user possibly could
manage what he needs from another computer through mmc snapins.

To add computers to the domain go to AD Users and Computers. Select view
advanced features. Then select the domain, right click and select delegate
control. The wizard will start. Add your user/group and select add computers
to the domain.

To add users to the domain go to the domain
container/properties/security/advanced/add - select your group/select
"create user objects" and apply. This allows them to create but not delete
users.

To add users to a specific groups. In the properties of the groups go to
security/advanced/add - select your group/select properties at the top
[instead of object]/select "write members" and apply. Of course this will
not work on privileged groups such as administrators.

To reset password for non privileged user accounts. Go to
domain/properties/security/advanced/add - select your users group/select
"apply onto:" user objects/select reset password and apply. By default
priviliged accounts do not inherit permissions to exempt them from
delegation. If you have a user in a priviliged group and you remove that
user, you will have to manually configure permissions on that user object or
select "allow inheritable permissions to propagate from parent".

The above should allow a regular user account in the domain to do what you
want. A regular user can not install most software. Personally I would not
want any regular user to logon to a domain controller but instead they can
use mmc snapins to mange what they need which will prevent them from having
access and installing anyhting on the domain controller. I would also
suggest you consider giving the user/group those powers [except add
computers to the domain] to an Organizational Unit instead and moving the
groups and users into the OU that you want them to manage. --- Steve

Hi!

I need your help to determine what kind of permissions I need to give for a Network
Technician on the domain:

-Can log on the server
-Can add computers in a domain
-Can create a users and add to a specific groups
-Can reset password
-Cannot delete users
-Cannot install applications

This is what a need. I don't want to give user's total access(just the

list higher) but enough to allow him to do his normal job.

I know the custom permissions for a user, but anybody have a kind a recipe

for what I need? If anybody use this kind of user in his network tell me
what you do for this kind of user!

Thanks

Ans.:


Look into AD delegation, though you may need to do some custom delegation. You can
modify the user right to logon locally to allow a user to logon to a computer and you
can give a user the right to create computer objects in the domain or OU which would
take care of the first two.

Create a test OU and then select properties delegation to start the delegation wizard
to see what the "built in" rights are including resetting passwords and modifying
group membership and for the rest you will have to experiment with such as the
ability to create a user but not delete one would need to be a custom delegation for
creating user objects. The links below may help. --- Steve

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/526.asp

--- refer to the last paragraph
http://support.microsoft.com/default.aspx?scid=kb;en-us;294952
-- example of custom delegation.

 

[Guest]

Steven,

This was also very useful to me. However, when my test .tech user tries to
create an account he goes thru the process fine until I arrive to the "Create
an Exchange mailbox" screen.

I can see the "Server" but I can't see the "Mailbox store". What do I need
to add/modify in order to get this done.

Thanks
GraXi

OK. Try this.

By default any user can log onto a server other than domain controller. To
allow then to logon to a domain controller give them the logon locally user
right in Domain Controller Security Policy. Note the user possibly could
manage what he needs from another computer through mmc snapins.

To add computers to the domain go to AD Users and Computers. Select view
advanced features. Then select the domain, right click and select delegate
control. The wizard will start. Add your user/group and select add computers
to the domain.

To add users to the domain go to the domain
container/properties/security/advanced/add - select your group/select
"create user objects" and apply. This allows them to create but not delete
users.

To add users to a specific groups. In the properties of the groups go to
security/advanced/add - select your group/select properties at the top
[instead of object]/select "write members" and apply. Of course this will
not work on privileged groups such as administrators.

To reset password for non privileged user accounts. Go to
domain/properties/security/advanced/add - select your users group/select
"apply onto:" user objects/select reset password and apply. By default
priviliged accounts do not inherit permissions to exempt them from
delegation. If you have a user in a priviliged group and you remove that
user, you will have to manually configure permissions on that user object or
select "allow inheritable permissions to propagate from parent".

The above should allow a regular user account in the domain to do what you
want. A regular user can not install most software. Personally I would not
want any regular user to logon to a domain controller but instead they can
use mmc snapins to mange what they need which will prevent them from having
access and installing anyhting on the domain controller. I would also
suggest you consider giving the user/group those powers [except add
computers to the domain] to an Organizational Unit instead and moving the
groups and users into the OU that you want them to manage. --- Steve

Hi!

I need your help to determine what kind of permissions I need to give for a Network
Technician on the domain:

-Can log on the server
-Can add computers in a domain
-Can create a users and add to a specific groups
-Can reset password
-Cannot delete users
-Cannot install applications

This is what a need. I don't want to give user's total access(just the

list higher) but enough to allow him to do his normal job.

I know the custom permissions for a user, but anybody have a kind a recipe

for what I need? If anybody use this kind of user in his network tell me
what you do for this kind of user!

Thanks

Ans.:


Look into AD delegation, though you may need to do some custom delegation. You can
modify the user right to logon locally to allow a user to logon to a computer and you
can give a user the right to create computer objects in the domain or OU which would
take care of the first two.

Create a test OU and then select properties delegation to start the delegation wizard
to see what the "built in" rights are including resetting passwords and modifying
group membership and for the rest you will have to experiment with such as the
ability to create a user but not delete one would need to be a custom delegation for
creating user objects. The links below may help. --- Steve

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/526.asp

--- refer to the last paragraph
http://support.microsoft.com/default.aspx?scid=kb;en-us;294952
-- example of custom delegation.

 

[Steven L Umbach]

Hi GraXi.

I don't know the specific answer to that offhand as I don't have Exchange
integrated with my AD setup. Hopefully someone else can help and you may
also want to post in one of the Exchange and Active Directory newsgroups. I
found the link below but am not sure if it is the solution to your
problem. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;262399

Steven,

This was also very useful to me. However, when my test .tech user tries to
create an account he goes thru the process fine until I arrive to the
"Create
an Exchange mailbox" screen.

I can see the "Server" but I can't see the "Mailbox store". What do I need
to add/modify in order to get this done.

Thanks
GraXi

OK. Try this.

By default any user can log onto a server other than domain controller.
To
allow then to logon to a domain controller give them the logon locally
user
right in Domain Controller Security Policy. Note the user possibly could
manage what he needs from another computer through mmc snapins.

To add computers to the domain go to AD Users and Computers. Select view
advanced features. Then select the domain, right click and select
delegate
control. The wizard will start. Add your user/group and select add
computers
to the domain.

To add users to the domain go to the domain
container/properties/security/advanced/add - select your group/select
"create user objects" and apply. This allows them to create but not
delete
users.

To add users to a specific groups. In the properties of the groups go to
security/advanced/add - select your group/select properties at the top
[instead of object]/select "write members" and apply. Of course this will
not work on privileged groups such as administrators.

To reset password for non privileged user accounts. Go to
domain/properties/security/advanced/add - select your users group/select
"apply onto:" user objects/select reset password and apply. By default
priviliged accounts do not inherit permissions to exempt them from
delegation. If you have a user in a priviliged group and you remove that
user, you will have to manually configure permissions on that user object
or
select "allow inheritable permissions to propagate from parent".

The above should allow a regular user account in the domain to do what
you
want. A regular user can not install most software. Personally I would
not
want any regular user to logon to a domain controller but instead they
can
use mmc snapins to mange what they need which will prevent them from
having
access and installing anyhting on the domain controller. I would also
suggest you consider giving the user/group those powers [except add
computers to the domain] to an Organizational Unit instead and moving the
groups and users into the OU that you want them to manage. --- Steve

Hi!

I need your help to determine what kind of permissions I need to give
for a Network
Technician on the domain:

-Can log on the server
-Can add computers in a domain
-Can create a users and add to a specific groups
-Can reset password
-Cannot delete users
-Cannot install applications

This is what a need. I don't want to give user's total access(just the

list higher) but enough to allow him to do his normal job.

I know the custom permissions for a user, but anybody have a kind a
recipe

for what I need? If anybody use this kind of user in his network tell me
what you do for this kind of user!

Thanks

Ans.:


Look into AD delegation, though you may need to do some custom
delegation. You can
modify the user right to logon locally to allow a user to logon to a computer and you
can give a user the right to create computer objects in the domain or
OU which would
take care of the first two.

Create a test OU and then select properties delegation to start the delegation wizard
to see what the "built in" rights are including resetting passwords and modifying
group membership and for the rest you will have to experiment with such
as the
ability to create a user but not delete one would need to be a custom delegation for
creating user objects. The links below may help. --- Steve

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/526.asp

--- refer to the last paragraph
http://support.microsoft.com/default.aspx?scid=kb;en-us;294952
-- example of custom delegation.

 

[Miha Pihler [MVP]]

Hi,

Try giving user who is adding account View Only Exchange Administrator
permission. You should do this using a wizard in Exchange (e.g. on Exchange
Organization or some other level)...

I hope this helps,

--
Mike
Microsoft MVP - Windows Security

Steven,

This was also very useful to me. However, when my test .tech user tries to
create an account he goes thru the process fine until I arrive to the
"Create
an Exchange mailbox" screen.

I can see the "Server" but I can't see the "Mailbox store". What do I need
to add/modify in order to get this done.

Thanks
GraXi

OK. Try this.

By default any user can log onto a server other than domain controller.
To
allow then to logon to a domain controller give them the logon locally
user
right in Domain Controller Security Policy. Note the user possibly could
manage what he needs from another computer through mmc snapins.

To add computers to the domain go to AD Users and Computers. Select view
advanced features. Then select the domain, right click and select
delegate
control. The wizard will start. Add your user/group and select add
computers
to the domain.

To add users to the domain go to the domain
container/properties/security/advanced/add - select your group/select
"create user objects" and apply. This allows them to create but not
delete
users.

To add users to a specific groups. In the properties of the groups go to
security/advanced/add - select your group/select properties at the top
[instead of object]/select "write members" and apply. Of course this will
not work on privileged groups such as administrators.

To reset password for non privileged user accounts. Go to
domain/properties/security/advanced/add - select your users group/select
"apply onto:" user objects/select reset password and apply. By default
priviliged accounts do not inherit permissions to exempt them from
delegation. If you have a user in a priviliged group and you remove that
user, you will have to manually configure permissions on that user object
or
select "allow inheritable permissions to propagate from parent".

The above should allow a regular user account in the domain to do what
you
want. A regular user can not install most software. Personally I would
not
want any regular user to logon to a domain controller but instead they
can
use mmc snapins to mange what they need which will prevent them from
having
access and installing anyhting on the domain controller. I would also
suggest you consider giving the user/group those powers [except add
computers to the domain] to an Organizational Unit instead and moving the
groups and users into the OU that you want them to manage. --- Steve

Hi!

I need your help to determine what kind of permissions I need to give
for a Network
Technician on the domain:

-Can log on the server
-Can add computers in a domain
-Can create a users and add to a specific groups
-Can reset password
-Cannot delete users
-Cannot install applications

This is what a need. I don't want to give user's total access(just the

list higher) but enough to allow him to do his normal job.

I know the custom permissions for a user, but anybody have a kind a
recipe

for what I need? If anybody use this kind of user in his network tell me
what you do for this kind of user!

Thanks

Ans.:


Look into AD delegation, though you may need to do some custom
delegation. You can
modify the user right to logon locally to allow a user to logon to a computer and you
can give a user the right to create computer objects in the domain or
OU which would
take care of the first two.

Create a test OU and then select properties delegation to start the delegation wizard
to see what the "built in" rights are including resetting passwords and modifying
group membership and for the rest you will have to experiment with such
as the
ability to create a user but not delete one would need to be a custom delegation for
creating user objects. The links below may help. --- Steve

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/526.asp

--- refer to the last paragraph
http://support.microsoft.com/default.aspx?scid=kb;en-us;294952
-- example of custom delegation.