Permissions in AD

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi

I need your help to determine what kind of permissions I need to give for a Network Technician on the domain

-Can log on the serve
-Can add computers in a domai
-Can create a users and add to a specific group
-Can reset passwor
-Cannot delete user
-Cannot install application

This is what a need. I think this is a hybrid between a administrator and a power user! I don't want to give user's total access(just the list higher) but enough to allow him to do his normal job.
 
Look into AD delegation, though you may need to do some custom delegation. You can
modify the user right to logon locally to allow a user to logon to a computer and you
can give a user the right to create computer objects in the domain or OU which would
take care of the first two.

Create a test OU and then select properties delegation to start the delegation wizard
to see what the "built in" rights are including resetting passwords and modifying
group membership and for the rest you will have to experiment with such as the
ability to create a user but not delete one would need to be a custom delegation for
creating user objects. The links below may help. --- Steve

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/526.asp --- refer
to the last paragraph
http://support.microsoft.com/default.aspx?scid=kb;en-us;294952 -- example of custom
delegation.

From QC said:
Hi!

I need your help to determine what kind of permissions I need to give for a Network Technician on the domain:

-Can log on the server
-Can add computers in a domain
-Can create a users and add to a specific groups
-Can reset password
-Cannot delete users
-Cannot install applications

This is what a need. I think this is a hybrid between a administrator and a power
Click to expand...
user! I don't want to give user's total access(just the list higher) but enough to
allow him to do his normal job.
 
You can use the Delegation Wizard on the OU that the user
resides in in AD. Create a custom task, and choose what
he/she is able to do. Much easier than adding them to a
new group. Log onto server is Log On Locally in the
Domain Default policy.

Good luck
-----Original Message-----
Hi!

I need your help to determine what kind of permissions I
Click to expand...
need to give for a Network Technician on the domain:
-Can log on the server
-Can add computers in a domain
-Can create a users and add to a specific groups
-Can reset password
-Cannot delete users
-Cannot install applications

This is what a need. I think this is a hybrid between a
Click to expand...
administrator and a power user! I don't want to give
user's total access(just the list higher) but enough to
allow him to do his normal job.
 
Back
Top