Giving users permission to manage Active Directory users

[Seizure1990]

Hello all,

 

Here is the situation: We have a Windows 2012 server running Active Directory, which manages the logins for all of our network resources. So far, whenever a new user needs to be added, one of the office staff has to talk to us techies and ask us to add the user(s) for them. We have agreed it would be more convenient for everyone if they had the option to add users themselves. However, we do not want to give the staff the ability to manage EVERY aspect of the server, which is what would happen if we simply made them admins.

 

From what I understand, what we want to do is give these users Remote Desktop access, and then give them fine-grained permissions so that they can manage AD, and only AD. However, I have tried Googling this whole matter, and maybe I am just using the wrong keywords, but I can't find anything that tells me how to do this*. Can someone help me? Alternatively, if this is not how it is done, or if there is a better way, what would it be?

 

*I'm having trouble with the fine-grained permissions part. I have no issue giving staff remote access

 

Thanks for any advice!

[Zippo7]

Search for "active directory delegated authority" instead and you will find what you are looking for. In addition take a look at RSAT for the desktops of the users who need to manage adding users to avoid having them remote into the server.

[+John Teacake MVC]

You don't even need RDP access. Infact you shouldn't. You use the MMC Snapin. 

[Seizure1990]

Thank you, I will definitely check out the documentation on delegating AD authority.

 

The issue with RSAT that I see: All our windows computers are Windows 7, while our Server runs Windows 2012. From what I understand, this means the RSAT client for Windows 7 will not work with Server 2012, only 2008. Correct?

 

If so, this will still be fine through remote desktop, right?

 

Re: MMC Snap-Ins. Is that a different method entirely, or is it related to something already mentioned, like RSAT?

[ShadowMajestic]

You could write powershell scripts so those users would only have to enter a username, password and group (group could be 'automated', so people can only add others to their own group)

 

Also MMC snapin, win+r mmc. You can access AD and such like it where local.

[ShadowPHP]

  On 06/06/2014 at 17:53, Seizure1990 said:

Thank you, I will definitely check out the documentation on delegating AD authority.

 

The issue with RSAT that I see: All our windows computers are Windows 7, while our Server runs Windows 2012. From what I understand, this means the RSAT client for Windows 7 will not work with Server 2012, only 2008. Correct?

 

If so, this will still be fine through remote desktop, right?

 

Re: MMC Snap-Ins. Is that a different method entirely, or is it related to something already mentioned, like RSAT?

 

If you install RSAT for Windows 7, it should let you manage a 2012 Active Directory without issue.

 

All the Active Directory management tools are snap-ins for MMC, which is the Microsoft Management Console. RSAT will just add the necessary snap-ins and shortcuts for you to the Administrative Tools option in Control Panel.

 

Under no circumstance should you let a user anywhere near the server desktop. It's for IT people only.

[sc302 Veteran]

Letting departments add users on the fly without it consent or questioning...where do I sign up....let me make 1000 different accounts so that I can gain access to the network.  Hell if someone pays me off I will give them access to whatever they want.  f IT.

 

 

 

Seriously, is this the best course of action?  You will have no control over your environment by allowing departments create accounts.  This is a big no no.  You should have a bigger IT department then to be able to handle add requests. 

[Seizure1990]

Thanks for the help and clarification everyone. I guess I will be testing an RSAT install on my laptop and going from there.

[Seizure1990]

  On 06/06/2014 at 18:44, sc302 said:

Letting departments add users on the fly without it consent or questioning...where do I sign up....let me make 1000 different accounts so that I can gain access to the network.  Hell if someone pays me off I will give them access to whatever they want.  f IT.

 

 

 

Seriously, is this the best course of action?  You will have no control over your environment by allowing departments create accounts.  This is a big no no.  You should have a bigger IT department then to be able to handle add requests. 

A) It isn't the whole department, just a couple administrative staff.

 

B) We are a global non-profit, and this is the budget we work with. No full time tech staff (I work as a consultant for them, and show up for 3 to 6 hours a week. Yes, the amount of resources we have is minimal, but it's what we work with.) It was specifically requested that there should be a way for the organization admins to add new staff so they can access the network resources. I don't think that this will end up badly, everyone here is part of this organization because they believe in their work, not for the pay.

 

Anyways, the main point is I'm just carrying out orders, and this is what I was asked to do.

[technord]

You need to be very careful

 

What's to stop them creating an admin user, then using that account to login with?

[Seizure1990]

Fair point. Is there a way to set it up so that they can only create users within a certain group? This would actually be preferable, since we have custom user groups and we want all new users to be put into the basic one.

 

Even if there isn't a way though, I don't think this is a serious issue. The staff who will be given the ability to do this are very high up in the organization. They would essentially be f'ing up their own org... and if that's what they choose to do, their business, not mine. I just get payed by the hour to set all this up and fix their issues.

[Seizure1990]

Ok... when I download the RSAT installer, I get an error: "The update is not applicable to your computer"

http://www.microsoft.com/en-us/download/details.aspx?id=7887

 

I made sure to get the x64 bit one. What is the problem? Did I use the right download?

[+BudMan MVC]

What I would suggest is just do this via web, something like the manage engine AD manager, has help desk delegation where users can be given rights to create/delete/unlock/reset password, etc..

 

There is a free version, since you mention this is a nonprofit I would think you have a pretty small setup and the free should work

 

http://www.manageengine.com/products/ad-manager/

 

This way nothing to install on any user machine..  And just hit a webpage, click a few things - this much easier to understand for non AD admins, etc.

 

I am not sure if the free version allows for help desk users?  Do you have more than 100 users in the domain?  Or plans to go over that?  You could always contact them for nonprofit pricing options, etc.. that might fall to your limited budget?

 

Another option in this line would be

http://www.omniecontrol.com/

 

Their pricing model is based on user..  Gov is like $4 a user..

[Dashel]

Those look similar to what I'm looking for in the thread below.  Do you have any experience with their ADSelfService Plus Bud?

[+BudMan MVC]

what thread, don't see any thread below?

I have a bit of experience with a few of their products. Have not used the self service in a few revisions back..

[Seizure1990]

Thanks for the lead BudMan! I will definitely be checking out that web management software. So long as it gives users the ability to manage AD without exposing the rest of the server functionality, this is perfect.

[Praetor]

i have used the manage engine ad tools and they are great. having said that giving non it folks access to a server is a no no.