Active Directory, control to users

Posted on

Active Directory, control to users – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about windows, active-directory, delegation, , .

I’m responsible by Active Directory (AD) where I’m working, and I’m trying to figure out, how can I allow, that sector managers of the company, may add and delete users from its departments respective, without the need that anyone of them be a domain administrator.
So, please any help?

Solution :

You’re looking for the Delegation of Control functionality in Active Directory Users and Computers. I don’t prefer @Harry Johnston’s answer because, while technically valid, you really should use the “Wizard” so that you don’t have to muck about with the specific entries in the access control lists (ACLs) you’re trying to manage.

Assume a Directory that looks as follows:

   |-- [OU]  Sales
   |     |
   |   [user]  Bob, Sales Manager
   |-- [OU]  Service
   |     |
   |   [user]  Jane, Service Manager
   |-- [OU]  Security Groups
   |     |
   |     |-- [OU]  Groups Managed by Delegates
   |     |     |
   |     |   [group]  Sales Gerbils
   |     |     |
   |     |   [group]  Service Technicians
   |     | 
   |   [group]  Delegated Sales Managers
   |     |
   |   [group]  Delegated Service Managers
   |     |
  ...   ...

Assuming you’d like Bob to be able to create new Sales users and Jane to be able to create new Service users you’d:

  • Make Bob a member of the “Delegated Sales Managers” group
  • Make Jane a member of the “Delegated Service Managers” group
  • Use the “Delegation of Control” wizard at the “Sales” OU to grant “Create, delete, and manage user accounts” permissions to the “Delegated Sales Managers” group
  • Use the “Delegation of Control” wizard at the “Service” OU to grant “Create, delete, and manage user accounts” permissions to the “Delegated Service Managers” group

This would allow Bob and Jane to create user accounts in the appropriate OUs, but it wouldn’t allow them to make the users members of groups. By putting groups that Bob and Jane are permitted to manage the membership for under the “Groups Managed by Delegates” OU and using the Delegation of Control wizard to grant “Delegated Sales Managers” and “Delegated Service Managers” the “Modify the membership of a group” right on the “Groups Managed by Delegates” OU both Bob and Jane would be permitted to add users (users they create or other users that already exist in the Directory!) to the groups in and below this OU.

If you wanted to stop Bob from adding users to the “Service Technicians” group and Jane to the “Sales Gerbils” group you could create sub-OUs under the “Groups Managed by Delegates” OU and delegate control there (a “Sales Groups” OU and a “Service Groups” OU, for example).

The nice thing is that you can create a test OU in your Directory, create some test accounts and groups, and play around with this functionality without impacting the rest of your Directory. Give it a shot and test out your solution before you roll it out to users.

Assuming that you are in Windows Server 2008, Go to ADUC, enable the advanced mode and there you will see a Console Tree: under that there is a category called Builtin and over there you will find ‘Account Operators’ You have to put your managers list in another group called. ‘Account Operators’ which allows them to administer the domain user and group accounts. Hope this helps.

Leave a Reply

Your email address will not be published.