Jump to content



Photo

Giving users permission to manage Active Directory users

windows 2012 active directory permissions users

  • Please log in to reply
16 replies to this topic

#1 Seizure1990

Seizure1990

    Neowinian Senior

  • Joined: 17-February 08
  • Location: NYC

Posted 06 June 2014 - 17:19

Hello all,

 

Here is the situation: We have a Windows 2012 server running Active Directory, which manages the logins for all of our network resources. So far, whenever a new user needs to be added, one of the office staff has to talk to us techies and ask us to add the user(s) for them. We have agreed it would be more convenient for everyone if they had the option to add users themselves. However, we do not want to give the staff the ability to manage EVERY aspect of the server, which is what would happen if we simply made them admins.

 

From what I understand, what we want to do is give these users Remote Desktop access, and then give them fine-grained permissions so that they can manage AD, and only AD. However, I have tried Googling this whole matter, and maybe I am just using the wrong keywords, but I can't find anything that tells me how to do this*. Can someone help me? Alternatively, if this is not how it is done, or if there is a better way, what would it be?

 

*I'm having trouble with the fine-grained permissions part. I have no issue giving staff remote access

 

Thanks for any advice!




#2 Zippo7

Zippo7

    Neowinian

  • Joined: 17-November 09

Posted 06 June 2014 - 17:42

Search for "active directory delegated authority" instead and you will find what you are looking for. In addition take a look at RSAT for the desktops of the users who need to manage adding users to avoid having them remote into the server.



#3 +ChuckFinley

ChuckFinley

    member_id=28229

  • Joined: 14-May 03

Posted 06 June 2014 - 17:46

You don't even need RDP access. Infact you shouldn't. You use the MMC Snapin. 



#4 OP Seizure1990

Seizure1990

    Neowinian Senior

  • Joined: 17-February 08
  • Location: NYC

Posted 06 June 2014 - 17:53

Thank you, I will definitely check out the documentation on delegating AD authority.

 

The issue with RSAT that I see: All our windows computers are Windows 7, while our Server runs Windows 2012. From what I understand, this means the RSAT client for Windows 7 will not work with Server 2012, only 2008. Correct?

 

If so, this will still be fine through remote desktop, right?

 

Re: MMC Snap-Ins. Is that a different method entirely, or is it related to something already mentioned, like RSAT?



#5 ShadowMajestic

ShadowMajestic

    Neowinian Senior

  • Joined: 16-April 10
  • Location: Netherlands
  • OS: Windows 8 Pro 64bit
  • Phone: Nokia Lumia 920

Posted 06 June 2014 - 18:27

You could write powershell scripts so those users would only have to enter a username, password and group (group could be 'automated', so people can only add others to their own group)

 

Also MMC snapin, win+r mmc. You can access AD and such like it where local.



#6 ShadowPHP

ShadowPHP

    php c0der

  • Joined: 12-May 05
  • Location: GREAT Britain

Posted 06 June 2014 - 18:35

Thank you, I will definitely check out the documentation on delegating AD authority.

 

The issue with RSAT that I see: All our windows computers are Windows 7, while our Server runs Windows 2012. From what I understand, this means the RSAT client for Windows 7 will not work with Server 2012, only 2008. Correct?

 

If so, this will still be fine through remote desktop, right?

 

Re: MMC Snap-Ins. Is that a different method entirely, or is it related to something already mentioned, like RSAT?

 

If you install RSAT for Windows 7, it should let you manage a 2012 Active Directory without issue.

 

All the Active Directory management tools are snap-ins for MMC, which is the Microsoft Management Console. RSAT will just add the necessary snap-ins and shortcuts for you to the Administrative Tools option in Control Panel.

 

Under no circumstance should you let a user anywhere near the server desktop. It's for IT people only.



#7 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 06 June 2014 - 18:44

Letting departments add users on the fly without it consent or questioning...where do I sign up....let me make 1000 different accounts so that I can gain access to the network.  Hell if someone pays me off I will give them access to whatever they want.  f IT.

 

 

 

Seriously, is this the best course of action?  You will have no control over your environment by allowing departments create accounts.  This is a big no no.  You should have a bigger IT department then to be able to handle add requests. 



#8 OP Seizure1990

Seizure1990

    Neowinian Senior

  • Joined: 17-February 08
  • Location: NYC

Posted 06 June 2014 - 18:45

Thanks for the help and clarification everyone. I guess I will be testing an RSAT install on my laptop and going from there.



#9 OP Seizure1990

Seizure1990

    Neowinian Senior

  • Joined: 17-February 08
  • Location: NYC

Posted 06 June 2014 - 18:51

Letting departments add users on the fly without it consent or questioning...where do I sign up....let me make 1000 different accounts so that I can gain access to the network.  Hell if someone pays me off I will give them access to whatever they want.  f IT.

 

 

 

Seriously, is this the best course of action?  You will have no control over your environment by allowing departments create accounts.  This is a big no no.  You should have a bigger IT department then to be able to handle add requests. 

A) It isn't the whole department, just a couple administrative staff.

 

B) We are a global non-profit, and this is the budget we work with. No full time tech staff (I work as a consultant for them, and show up for 3 to 6 hours a week. Yes, the amount of resources we have is minimal, but it's what we work with.) It was specifically requested that there should be a way for the organization admins to add new staff so they can access the network resources. I don't think that this will end up badly, everyone here is part of this organization because they believe in their work, not for the pay.

 

Anyways, the main point is I'm just carrying out orders, and this is what I was asked to do.



#10 glen8

glen8

    Neowinian

  • Joined: 16-August 02

Posted 06 June 2014 - 18:52

You need to be very careful

 

What's to stop them creating an admin user, then using that account to login with?



#11 OP Seizure1990

Seizure1990

    Neowinian Senior

  • Joined: 17-February 08
  • Location: NYC

Posted 06 June 2014 - 19:11

Fair point. Is there a way to set it up so that they can only create users within a certain group? This would actually be preferable, since we have custom user groups and we want all new users to be put into the basic one.

 

Even if there isn't a way though, I don't think this is a serious issue. The staff who will be given the ability to do this are very high up in the organization. They would essentially be f'ing up their own org... and if that's what they choose to do, their business, not mine. I just get payed by the hour to set all this up and fix their issues.



#12 OP Seizure1990

Seizure1990

    Neowinian Senior

  • Joined: 17-February 08
  • Location: NYC

Posted 06 June 2014 - 19:17

Ok... when I download the RSAT installer, I get an error: "The update is not applicable to your computer"

http://www.microsoft...ls.aspx?id=7887

 

I made sure to get the x64 bit one. What is the problem? Did I use the right download?



#13 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 89
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 07 June 2014 - 13:59

What I would suggest is just do this via web, something like the manage engine AD manager, has help desk delegation where users can be given rights to create/delete/unlock/reset password, etc..

 

There is a free version, since you mention this is a nonprofit I would think you have a pretty small setup and the free should work

 

http://www.manageeng...cts/ad-manager/

 

This way nothing to install on any user machine..  And just hit a webpage, click a few things - this much easier to understand for non AD admins, etc.

 

I am not sure if the free version allows for help desk users?  Do you have more than 100 users in the domain?  Or plans to go over that?  You could always contact them for nonprofit pricing options, etc.. that might fall to your limited budget?

 

Another option in this line would be

http://www.omniecontrol.com/

 

Their pricing model is based on user..  Gov is like $4 a user..



#14 Dashel

Dashel

    Disgustipator

  • Joined: 03-December 01
  • Location: USA

Posted 09 June 2014 - 15:14

Those look similar to what I'm looking for in the thread below.  Do you have any experience with their ADSelfService Plus Bud?



#15 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 89
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 09 June 2014 - 17:15

what thread, don't see any thread below?

I have a bit of experience with a few of their products. Have not used the self service in a few revisions back..