Limiting AD administration tasks

[Steve]

I have a generic domain account that is used to be able
to log into our domain controllers. I want to be able to
have this account log in and do BASIC AD administration
tasks such as reset a password and nothing else. I intend
to use the "run as" command and a seperate account to do
the major administraion (creating ou's etc.) How do I
limit the generic account from being able to create ou's
and do other major adminstration but yet allow them to
reset passwords etc?

Thanks in Advance,

Steve

 

[Chriss3]

Hello Steve

Take a look at Delegate Control Wizard, You can use this Wizard at OU and
Domain level, to delegate servels administrative tasks.

if you right click at Domain our OU level you can select the "Delegate
Control Wizard" and the guide appers.

You can read this howto to found out more information
http://www.microsoft.com/technet/tr...rodtechnol/windows2000serv/howto/delestep.asp

another thing you can do to simplify the daily adminstrative tasks as
rest-password etc is to make a customize MMC Consoel, ther you create
shortcut to the tasks.

More information about how to create a personal MMC Console:
http://www.microsoft.com/technet/tr...rodtechnol/windows2000serv/howto/mmcsteps.asp

//Christoffer Andersson