I just took over a windows-based enterprise (server and win7) and I just found out that some of my "power users" were given full rights as Domain Administrators to perform help desk type operations (ie. lockouts, password resets, software upgrades).
Is there any way I can give these people access to perform these tasks without giving them full domain privileges with access to Active Directory?
My VM crashed over the weekend so no screenshots. :'( However, I was able to find a site that should help explain how to do this: http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Implementing-Active-Directory-Delegation-Administration.html
Yes you can use the delegation control wizard or modify ACLs for items like account lockous/resets
There is also the account operator group.
Are these manual software updates? Do they need to only update software on PCs? You can create a group to have admin rights just on workstations.
Very good idea to take them out of domain admins....good thinking and good work
Thank yo so much...
The only question I have, that I didn't see:can you do that for specific user groups? or is this an everybody/nobody situation?
Yes, you can grant access based on a group.
If you provide the server version I can get you directions.
Thank you so much.
Windows server 2008 with AD, exchange 2010,