active directory user
-
Tuesday, April 10, 2012 2:14 PM
hi all i need to create a user (not domain admins) that can manage other users ? (changing password, lock&unlock, disable, change expiration date).
can anyone help me ?
Best regards,
Manuel
All Replies
-
Tuesday, April 10, 2012 2:17 PM
Hello,
This could be done by delegating the administration on OUs: http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer- Proposed As Answer by Abhijit WaikarMicrosoft Community Contributor Wednesday, April 11, 2012 2:42 AM
- Marked As Answer by casto.cremonesi Wednesday, April 11, 2012 2:19 PM
-
Tuesday, April 10, 2012 2:21 PM
Hi,
You can create a new security DL and add these admin users. You might be having all your normal users in a seprate OU. Then you can delegate access to this DL on your users OU.
For ex, create a DL called, First level Admins- and add all ur users who will manage rest of users.
Then right click ur users OU and click delegate control. In the tasks to delegate you can select all tasks and once done click Finish.
Regards, Mohan R Sr. Administrator - Server Support
- Edited by Server Engineer Tuesday, April 10, 2012 2:24 PM ,,
- Marked As Answer by casto.cremonesi Wednesday, April 11, 2012 2:20 PM
-
Tuesday, April 10, 2012 3:03 PM Q.Hi all i need to create a user (not domain admins) that can manage other users ? (changing password, lock&unlock, disable, change expiration date).
ANS.You can use delgation of control to assign the required permission.Refer below link
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
With SnapShot
http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/
The same activity can be perfrom from user workstation by installing adminpak tool(WinXP) or RSAT(Win7) to manage the same.
http://www.microsoft.com/download/en/details.aspx?id=7887
http://www.microsoft.com/download/en/details.aspx?id=16770
Hope this helpsBest Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Marked As Answer by casto.cremonesi Wednesday, April 11, 2012 2:20 PM
-
Tuesday, April 10, 2012 4:05 PM
Hello,
you can use the Delegate control wizard to enable options or you use the avanced security settings to configure permimssions to allow non-Admins to manage specific tasks. More details also in:
http://support.microsoft.com/kb/243327/en-us http://support.microsoft.com/kb/294952/en-us http://support.microsoft.com/kb/296999 http://support.microsoft.com/kb/932455
Best practice for delegation: http://technet.microsoft.com/en-us/library/cc773318(v=ws.10).aspx and http://www.microsoft.com/download/en/details.aspx?id=21678
You can also create additional taks for the delegate control wizard as shown in http://technet.microsoft.com/en-us/library/cc772784(WS.10).aspx
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
- Edited by Meinolf WeberMVP Tuesday, April 10, 2012 4:07 PM
- Proposed As Answer by Arthur_LiMicrosoft Contingent Staff, Moderator Wednesday, April 11, 2012 4:56 AM
- Marked As Answer by casto.cremonesi Wednesday, April 11, 2012 2:20 PM
-
Wednesday, April 11, 2012 8:39 AM
thanks to all, it seems work correctly.
Another question I have a problem creating script to force specific user to change password at netlogon (it seems that pwdLastSet = 0 didn't work).
Could you help me ?
Best regards,
Manuel -
Wednesday, April 11, 2012 9:28 AM
Hello,
this basically belongs to the scripting forum http://social.technet.microsoft.com/Forums/en/ITCG/threads
But see also: http://www.computerperformance.co.uk/vbscript/vbscript_pwdlastset.htm and how to use dsquery and dsmod http://community.spiceworks.com/scripts/show/251-force-user-s-by-ou-to-change-their-password
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
- Marked As Answer by casto.cremonesi Wednesday, April 11, 2012 2:20 PM
-
Wednesday, April 11, 2012 9:31 AM
Since you have applied the script enable below policy.
Enable fast logon:
==============
Computer Configuration\Administrative Templates\System\Logon\ Always wait for the network at computer startup and logon
Configuring a Password Change at Next Logon Requirement
http://technet.microsoft.com/library/ee198797.aspx
You can also login to DC.Open AD users and computers and select all user or required user and Right Click-->Properties-->Check the box user must change password at next logon.
Hope this helpsBest Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Marked As Answer by casto.cremonesi Wednesday, April 11, 2012 2:20 PM
-
Wednesday, April 11, 2012 2:18 PM
thanks to all.
I used objUser.PasswordExpired = 1
Best regards,
Manuel
.png)
