none
Delegate permissins to some users

    Question

  • Hello,

    I have some users in my domain which I need to only grant them a few rights:

    1-Reset passwords

    2- Move users to a different OU when needed.

    3- Install software on workstations.

    I tried this by making the users "Account operators", but it didn't work.

    I am also looking at the "Delegate permissions" wizard but I don't know whether I can achieve it through such wizard. It seems to grant only one set of permissions.

    Thanks in advance!


    Luis Olías.


    • Edited by Luis O.J Monday, March 6, 2017 8:54 PM
    Monday, March 6, 2017 8:53 PM

Answers

  • Hi

    1- Check this article to step-by-step; https://community.spiceworks.com/how_to/1464-how-to-delegate-password-reset-permissions-for-your-it-staff

    2- Check the article; https://social.technet.microsoft.com/wiki/contents/articles/20747.delegate-moving-user-group-and-computer-accounts-between-organizational-units-in-active-directory.aspx

    3- For this this scecific user needs to be member of local admins groups on computers,so you can configure "restricted Group" policy to add spec.users to computers local admins group.

    https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Luis O.J Monday, March 6, 2017 10:25 PM
    Monday, March 6, 2017 9:27 PM

All replies

  • Hi

    1- Check this article to step-by-step; https://community.spiceworks.com/how_to/1464-how-to-delegate-password-reset-permissions-for-your-it-staff

    2- Check the article; https://social.technet.microsoft.com/wiki/contents/articles/20747.delegate-moving-user-group-and-computer-accounts-between-organizational-units-in-active-directory.aspx

    3- For this this scecific user needs to be member of local admins groups on computers,so you can configure "restricted Group" policy to add spec.users to computers local admins group.

    https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Luis O.J Monday, March 6, 2017 10:25 PM
    Monday, March 6, 2017 9:27 PM
  • Thanks Burak!

    Now it is very late in here (Spain, 23:26 p.m) but I will go over all those links as soon as the sun goes up.

    Many thanks!


    Luis Olías.

    Monday, March 6, 2017 10:26 PM
  • Thanks again Burak.

    I am configuring Restricted Groups but I have a question:

    Once I add a group, a new screen pops up asking me to which groups it belongs to, but in the tab "Member of", of that group , there is already a group, why does it not take it from there?

    I mean:

    The group I am including in the Restricted group is called in my case "Helpdesk" , and this group is member of "Domain Users" in AD.

    So, why is this GPO setting (Restricted Groups) asking me which group is "Helpdesk" member of ?


    Luis Olías.




    • Edited by Luis O.J Wednesday, March 8, 2017 8:01 AM
    Wednesday, March 8, 2017 7:57 AM
  • Hi

     You should select "The group is member of" then add helpdesk groups,that's mean The existing group members will not be touched – it simply adds "helpdesk group" group.

    "Helpdesk" , and this group is member of "Domain Users" in AD. >>>> Check the members of help desk group,if some account wrongs just remove accounts from help desk.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, March 8, 2017 3:56 PM
  • I see, many thanks! . I did it and worked! :)

    Luis Olías.

    Wednesday, March 8, 2017 10:31 PM