none
Gerencia do Active directory RRS feed

  • Pergunta

  • É possivél, criar um usuário no Windows Server 2003 Standart edition x86, onde este pode gerenciar as contas de usuário no active directory e efetuar login na maquina servidor, sendo que ele não é o Administrador ?

    Se sim como proceder ?

    Se não qual SO o faz ?

    terça-feira, 26 de junho de 2012 12:01

Respostas

  • Bom dia você pode usar o delegate control para delegar tarefas administrativas a outros usuários que não são administradores do dominio

    segue um passo a passo que pode lhe ajudar a entender essa tarefa! Obs: passo a passo em ingles

    Implementing Delegation of Administration

    When you sit down to implement delegation of administration, you first need to decide on which actions you want to delegate out. Microsoft continues to add specific tasks for you to easily setup. These tasks are common tasks that most companies need to delegate out, regardless of the size of the organization. The benefit of having this prebuilt list of tasks is that you can mask the actual permissions that need to be set on the OUs.

    To understand how the delegation of administration can be set, let’s look at a step-by-step on how to establish the delegation of administration that we just looked at for the resetting of passwords. The structure of OUs is shown in Figure 1.


    Figure 1: Active Directory structure of organizational units

    To establish the delegation of administration for the IT users to reset passwords for all employees in all departments, you need to create a group for this as a best practice. I have created a group named ITResetPasswords and placed all of the IT users that need this capability in this group. From here, you need to right click on the Departments OU and select the Delegate Control menu option, as shown in Figure 2.


    Figure 2: Delegate Control menu option establishes the delegation of administration for that OU

    The delegation wizard will ask you the following questions:

    1. The group that you want to give the abilities to (see Figure 3)
    2. The task that you want to delegate (see Figure 4)


    Figure 3: You need to select which groups will have the ability to perform the task


    Figure 4: You need to select which tasks the groups will be able to perform

    After you select these two options and finish up the wizard, it appears as if nothing really happens. However, what has happened is really quite significant, considering the abundance of permissions that exist for a single OU. There are over 10,000 individual permissions that can be set for a single OU. This one delegation sets only 3 individual permissions, as shown in Figures 5 and 6.


    Figure 5: Permissions set to reset password for user accounts under the OU


    Figure 6: Permissions allowing user to force users to change password next time password is used

    You can see by the size of the scroll bars in both Figures above that there are numerous permissions to choose from. The wizard masks this complexity by setting the correct permissions for you.

    For you to configure permission for the HRResetPasswords group, which targets only the user accounts in the HRUsers OU, you need to follow the same steps. First, add the appropriate users to the HRResetPasswords group. Second, use the Delegate Control menu option at the HRUsers OU, configuring the group and task that delegates the resetting of passwords. Finally, inform the users in the group that they can now reset passwords for all users in this OU.

    Designing for Delegation of Administration

    From the example above, you can see that the delegation of administration is not all that hard to implement. I also hope you realize that the design of your Active Directory structure, especially considering the OU design, is the key. When you consider your design of Active Directory and OUs, you really only need to consider two primary design goals:

    • Delegation of Administration
    • Deployment of Group Policy

    Beyond these two design criteria, it typically falls into a political realm. When you consider how you want to design your OUs for delegation of administration, you first need to take a step back and evaluate how you “would like” to administer objects in Active Directory. Here are some questions you need to ask regarding your administrators and helpdesk:

    1. Are users centralized in one location or distributed in different offices?
    2. Are there administrators/helpdesk staff just at corporate headquarters, or at every office?
    3. Are there some administrators/helpdesk staff that control just a single department or two, or do all administrators handle all departments?
    4. Do some administrators/helpdesk staff handle user accounts while others handle computer accounts?
    5. Do you want managers of departments to control membership in their own groups instead of calling you to manage these group members?
    6. Do you want managers of departments to control resetting passwords for users in their department instead of having those users call your staff?

    Based on the answers to these questions, you can start to develop the OU design for delegation of administration. Meanwhile, you will need to consider how Group Policy will be deployed too. There might be some areas where you have a conflict between how the OUs should look for delegation of administration compared to Group Policy deployment. In these cases, you should lean the OU design to the delegation of administration, since it is not very flexible. Group Policy natively is somewhat flexible with filtering of the policies, but using a tool like PolicyMaker can even make your Group Policy deployment more flexible.

     

    Fonte deste POST

    http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html


    Renne Augusto Baraçal Cardoso

    • Marcado como Resposta Richard Juhasz sexta-feira, 29 de junho de 2012 17:23
    terça-feira, 26 de junho de 2012 12:08
  • Segue abaixo link:

    http://technet.microsoft.com/pt-br/library/cc785165%28v=ws.10%29


    MCP-W2K3/MCDST/MCSA/MCTS SE A RESPOSTA FOR UTIL, CLASSIFIQUE-A!

    • Marcado como Resposta Richard Juhasz sexta-feira, 29 de junho de 2012 17:23
    terça-feira, 26 de junho de 2012 12:38

Todas as Respostas

  • Bom dia você pode usar o delegate control para delegar tarefas administrativas a outros usuários que não são administradores do dominio

    segue um passo a passo que pode lhe ajudar a entender essa tarefa! Obs: passo a passo em ingles

    Implementing Delegation of Administration

    When you sit down to implement delegation of administration, you first need to decide on which actions you want to delegate out. Microsoft continues to add specific tasks for you to easily setup. These tasks are common tasks that most companies need to delegate out, regardless of the size of the organization. The benefit of having this prebuilt list of tasks is that you can mask the actual permissions that need to be set on the OUs.

    To understand how the delegation of administration can be set, let’s look at a step-by-step on how to establish the delegation of administration that we just looked at for the resetting of passwords. The structure of OUs is shown in Figure 1.


    Figure 1: Active Directory structure of organizational units

    To establish the delegation of administration for the IT users to reset passwords for all employees in all departments, you need to create a group for this as a best practice. I have created a group named ITResetPasswords and placed all of the IT users that need this capability in this group. From here, you need to right click on the Departments OU and select the Delegate Control menu option, as shown in Figure 2.


    Figure 2: Delegate Control menu option establishes the delegation of administration for that OU

    The delegation wizard will ask you the following questions:

    1. The group that you want to give the abilities to (see Figure 3)
    2. The task that you want to delegate (see Figure 4)


    Figure 3: You need to select which groups will have the ability to perform the task


    Figure 4: You need to select which tasks the groups will be able to perform

    After you select these two options and finish up the wizard, it appears as if nothing really happens. However, what has happened is really quite significant, considering the abundance of permissions that exist for a single OU. There are over 10,000 individual permissions that can be set for a single OU. This one delegation sets only 3 individual permissions, as shown in Figures 5 and 6.


    Figure 5: Permissions set to reset password for user accounts under the OU


    Figure 6: Permissions allowing user to force users to change password next time password is used

    You can see by the size of the scroll bars in both Figures above that there are numerous permissions to choose from. The wizard masks this complexity by setting the correct permissions for you.

    For you to configure permission for the HRResetPasswords group, which targets only the user accounts in the HRUsers OU, you need to follow the same steps. First, add the appropriate users to the HRResetPasswords group. Second, use the Delegate Control menu option at the HRUsers OU, configuring the group and task that delegates the resetting of passwords. Finally, inform the users in the group that they can now reset passwords for all users in this OU.

    Designing for Delegation of Administration

    From the example above, you can see that the delegation of administration is not all that hard to implement. I also hope you realize that the design of your Active Directory structure, especially considering the OU design, is the key. When you consider your design of Active Directory and OUs, you really only need to consider two primary design goals:

    • Delegation of Administration
    • Deployment of Group Policy

    Beyond these two design criteria, it typically falls into a political realm. When you consider how you want to design your OUs for delegation of administration, you first need to take a step back and evaluate how you “would like” to administer objects in Active Directory. Here are some questions you need to ask regarding your administrators and helpdesk:

    1. Are users centralized in one location or distributed in different offices?
    2. Are there administrators/helpdesk staff just at corporate headquarters, or at every office?
    3. Are there some administrators/helpdesk staff that control just a single department or two, or do all administrators handle all departments?
    4. Do some administrators/helpdesk staff handle user accounts while others handle computer accounts?
    5. Do you want managers of departments to control membership in their own groups instead of calling you to manage these group members?
    6. Do you want managers of departments to control resetting passwords for users in their department instead of having those users call your staff?

    Based on the answers to these questions, you can start to develop the OU design for delegation of administration. Meanwhile, you will need to consider how Group Policy will be deployed too. There might be some areas where you have a conflict between how the OUs should look for delegation of administration compared to Group Policy deployment. In these cases, you should lean the OU design to the delegation of administration, since it is not very flexible. Group Policy natively is somewhat flexible with filtering of the policies, but using a tool like PolicyMaker can even make your Group Policy deployment more flexible.

     

    Fonte deste POST

    http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html


    Renne Augusto Baraçal Cardoso

    • Marcado como Resposta Richard Juhasz sexta-feira, 29 de junho de 2012 17:23
    terça-feira, 26 de junho de 2012 12:08
  • Ok! mas quanto ao problema deste usuário executar o logon na maquina servidor???Não esqueça ele não pode executar nenhuma alteração nas configurações do servidor somente troca de senha e criação de usuários salvo o Administrador!!!

    terça-feira, 26 de junho de 2012 12:28
  • Segue abaixo link:

    http://technet.microsoft.com/pt-br/library/cc785165%28v=ws.10%29


    MCP-W2K3/MCDST/MCSA/MCTS SE A RESPOSTA FOR UTIL, CLASSIFIQUE-A!

    • Marcado como Resposta Richard Juhasz sexta-feira, 29 de junho de 2012 17:23
    terça-feira, 26 de junho de 2012 12:38