none
Authenticate a group on Active Directory RRS feed

  • Question

  • Hi there, could someone tell me what is probably obvious to everyone else here, but alas I'm just learning.  I have some users that I've placed into a group container and have delegated them permissions to edit user's account details.  I want the group in charge to be able to log onto directory services, but the only way that they can get them access, is for me at the least, is to allow them to log in as members of the print operator built-in group.  This is fine, as they can only add printers, but is there a better way as I don't want them to be able to do anything except edit certain information in the user's account details.

    Thank you

    Friday, October 7, 2011 5:34 AM

Answers

  • Delegation is the way to go to allow limited access to users.

    Below article will help you to delegate user on print server.

    http://blogs.technet.com/b/askperf/archive/2010/03/19/delegating-printer-management-tasks-in-windows-server-2003.aspx

    http://blogs.technet.com/b/askperf/archive/2009/10/07/windows-7-windows-server-2008-r2-pmc-enhancements.aspx

    http://technet.microsoft.com/en-us/library/ee524015%28WS.10%29.aspx

    http://support.microsoft.com/kb/555986

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    • Proposed as answer by bshwjt Friday, October 7, 2011 9:48 AM
    • Marked as answer by Elytis ChengModerator Thursday, October 13, 2011 12:57 AM
    Friday, October 7, 2011 8:38 AM
    Moderator
  • Hello,

    Hi there, could someone tell me what is probably obvious to everyone else here, but alas I'm just learning.  I have some users that I've placed into a group container and have delegated them permissions to edit user's account details.

    Here you created an Organizational Unit and delegate control on it to a group.

    I want the group in charge to be able to log onto directory services

    A group does not authenticate itself. A group is identified by an SID and members of this group are able to authenticated using your DCs.

    but the only way that they can get them access, is for me at the least, is to allow them to log in as members of the print operator built-in group.

    No. There is no need for that.

    Print Operators is a group for managing network printers.

    This is fine, as they can only add printers, but is there a better way as I don't want them to be able to do anything except edit certain information in the user's account details.

    Then add then to the Print Operators group and delegate them ONLY editing users' accounts properties on the wanted Organization Units.

    Like that they want have admin privileges on your other domain ressources.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer 

    • Proposed as answer by bshwjt Friday, October 7, 2011 9:48 AM
    • Marked as answer by Elytis ChengModerator Thursday, October 13, 2011 12:57 AM
    Friday, October 7, 2011 6:45 AM

All replies

  • Hello,

    Hi there, could someone tell me what is probably obvious to everyone else here, but alas I'm just learning.  I have some users that I've placed into a group container and have delegated them permissions to edit user's account details.

    Here you created an Organizational Unit and delegate control on it to a group.

    I want the group in charge to be able to log onto directory services

    A group does not authenticate itself. A group is identified by an SID and members of this group are able to authenticated using your DCs.

    but the only way that they can get them access, is for me at the least, is to allow them to log in as members of the print operator built-in group.

    No. There is no need for that.

    Print Operators is a group for managing network printers.

    This is fine, as they can only add printers, but is there a better way as I don't want them to be able to do anything except edit certain information in the user's account details.

    Then add then to the Print Operators group and delegate them ONLY editing users' accounts properties on the wanted Organization Units.

    Like that they want have admin privileges on your other domain ressources.

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer 

    • Proposed as answer by bshwjt Friday, October 7, 2011 9:48 AM
    • Marked as answer by Elytis ChengModerator Thursday, October 13, 2011 12:57 AM
    Friday, October 7, 2011 6:45 AM
  • Delegation is the way to go to allow limited access to users.

    Below article will help you to delegate user on print server.

    http://blogs.technet.com/b/askperf/archive/2010/03/19/delegating-printer-management-tasks-in-windows-server-2003.aspx

    http://blogs.technet.com/b/askperf/archive/2009/10/07/windows-7-windows-server-2008-r2-pmc-enhancements.aspx

    http://technet.microsoft.com/en-us/library/ee524015%28WS.10%29.aspx

    http://support.microsoft.com/kb/555986

     

    Regards  


    Awinish Vishwakarma

    MY BLOG:  awinish.wordpress.com


    This posting is provided AS-IS with no warranties/guarantees and confers no rights.
    • Proposed as answer by bshwjt Friday, October 7, 2011 9:48 AM
    • Marked as answer by Elytis ChengModerator Thursday, October 13, 2011 12:57 AM
    Friday, October 7, 2011 8:38 AM
    Moderator