Recommended Posts

Hello all,

 

Here is the situation: We have a Windows 2012 server running Active Directory, which manages the logins for all of our network resources. So far, whenever a new user needs to be added, one of the office staff has to talk to us techies and ask us to add the user(s) for them. We have agreed it would be more convenient for everyone if they had the option to add users themselves. However, we do not want to give the staff the ability to manage EVERY aspect of the server, which is what would happen if we simply made them admins.

 

From what I understand, what we want to do is give these users Remote Desktop access, and then give them fine-grained permissions so that they can manage AD, and only AD. However, I have tried Googling this whole matter, and maybe I am just using the wrong keywords, but I can't find anything that tells me how to do this*. Can someone help me? Alternatively, if this is not how it is done, or if there is a better way, what would it be?

 

*I'm having trouble with the fine-grained permissions part. I have no issue giving staff remote access

 

Thanks for any advice!

Thank you, I will definitely check out the documentation on delegating AD authority.

 

The issue with RSAT that I see: All our windows computers are Windows 7, while our Server runs Windows 2012. From what I understand, this means the RSAT client for Windows 7 will not work with Server 2012, only 2008. Correct?

 

If so, this will still be fine through remote desktop, right?

 

Re: MMC Snap-Ins. Is that a different method entirely, or is it related to something already mentioned, like RSAT?

You could write powershell scripts so those users would only have to enter a username, password and group (group could be 'automated', so people can only add others to their own group)

 

Also MMC snapin, win+r mmc. You can access AD and such like it where local.

  On 06/06/2014 at 17:53, Seizure1990 said:

Thank you, I will definitely check out the documentation on delegating AD authority.

 

The issue with RSAT that I see: All our windows computers are Windows 7, while our Server runs Windows 2012. From what I understand, this means the RSAT client for Windows 7 will not work with Server 2012, only 2008. Correct?

 

If so, this will still be fine through remote desktop, right?

 

Re: MMC Snap-Ins. Is that a different method entirely, or is it related to something already mentioned, like RSAT?

 

If you install RSAT for Windows 7, it should let you manage a 2012 Active Directory without issue.

 

All the Active Directory management tools are snap-ins for MMC, which is the Microsoft Management Console. RSAT will just add the necessary snap-ins and shortcuts for you to the Administrative Tools option in Control Panel.

 

Under no circumstance should you let a user anywhere near the server desktop. It's for IT people only.

Letting departments add users on the fly without it consent or questioning...where do I sign up....let me make 1000 different accounts so that I can gain access to the network.  Hell if someone pays me off I will give them access to whatever they want.  f IT.

 

 

 

Seriously, is this the best course of action?  You will have no control over your environment by allowing departments create accounts.  This is a big no no.  You should have a bigger IT department then to be able to handle add requests. 

  On 06/06/2014 at 18:44, sc302 said:

Letting departments add users on the fly without it consent or questioning...where do I sign up....let me make 1000 different accounts so that I can gain access to the network.  Hell if someone pays me off I will give them access to whatever they want.  f IT.

 

 

 

Seriously, is this the best course of action?  You will have no control over your environment by allowing departments create accounts.  This is a big no no.  You should have a bigger IT department then to be able to handle add requests. 

A) It isn't the whole department, just a couple administrative staff.

 

B) We are a global non-profit, and this is the budget we work with. No full time tech staff (I work as a consultant for them, and show up for 3 to 6 hours a week. Yes, the amount of resources we have is minimal, but it's what we work with.) It was specifically requested that there should be a way for the organization admins to add new staff so they can access the network resources. I don't think that this will end up badly, everyone here is part of this organization because they believe in their work, not for the pay.

 

Anyways, the main point is I'm just carrying out orders, and this is what I was asked to do.

Fair point. Is there a way to set it up so that they can only create users within a certain group? This would actually be preferable, since we have custom user groups and we want all new users to be put into the basic one.

 

Even if there isn't a way though, I don't think this is a serious issue. The staff who will be given the ability to do this are very high up in the organization. They would essentially be f'ing up their own org... and if that's what they choose to do, their business, not mine. I just get payed by the hour to set all this up and fix their issues.

Ok... when I download the RSAT installer, I get an error: "The update is not applicable to your computer"

http://www.microsoft.com/en-us/download/details.aspx?id=7887

 

I made sure to get the x64 bit one. What is the problem? Did I use the right download?

What I would suggest is just do this via web, something like the manage engine AD manager, has help desk delegation where users can be given rights to create/delete/unlock/reset password, etc..

 

There is a free version, since you mention this is a nonprofit I would think you have a pretty small setup and the free should work

 

http://www.manageengine.com/products/ad-manager/

 

This way nothing to install on any user machine..  And just hit a webpage, click a few things - this much easier to understand for non AD admins, etc.

 

I am not sure if the free version allows for help desk users?  Do you have more than 100 users in the domain?  Or plans to go over that?  You could always contact them for nonprofit pricing options, etc.. that might fall to your limited budget?

 

Another option in this line would be

http://www.omniecontrol.com/

 

Their pricing model is based on user..  Gov is like $4 a user..

This topic is now closed to further replies.
  • Posts

    • Display Driver Uninstaller (DDU) 18.1.1.5 by Razvan Serea Display Driver Uninstaller (DDU) is a utility for completely removing AMD/NVIDIA/INTEL graphics drivers and related packages from your system, attempting to eliminate all leftovers (including registry entries, folders and files, driver store). Though AMD/NVIDIA/INTEL drivers can usually be removed via the Windows Control Panel, this uninstaller tool was created for situations where standard uninstall fails, or when you need to fully remove NVIDIA or ATI graphics card drivers. After using this driver cleaner, your system will behave as though it’s the first time you’re installing a new driver—similar to a fresh Windows installation. As with all such tools, we recommend creating a restore point beforehand, allowing you to undo changes if issues arise. If you're having trouble installing an older or newer driver, try it—there are reports that it resolves such problems. Recommended usage: The tool can be used in Normal mode but for absolute stability when using DDU, Safemode is always the best. Make a backup or a system restore (but it should normally be pretty safe). It is best to exclude the DDU folder completely from any security software to avoid issues. You do NOT need to uninstall the driver prior using DDU. Requirements: .NET Framework 4.8 Compatible with Windows 7, 8, 8.1, 10, and 11 (32-bit or 64-bit) Note: Using on Insider Preview builds is at your own risk. Display Driver Uninstaller (DDU) 18.1.1.5 changelog: Intel: Added NPU presence detection before removing shared DLL files (these were previously left to prevent potential NPU-related issues). Intel: Added optional NPU removal Improved "Extension" driver removal process. Updated several translations. Download: Display Driver Uninstaller 18.1.1.5 | 1.7 MB (Freeware) Download: DDU Portable | 1.2 MB Links: Display Driver Uninstaller Home Page | Screenshot | Forum Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • I just ordered a new MSI X870 board, hasn't even arrived yet. I checked the downloads page, and it has the firmware released on 6/11/2025 including the updated AGESA code.
    • There used to be an independent video game store in West Edmonton Mall around 20 years ago, I'm not sure when it went out of business, but they were selling console & PC games for $70±, I think it was so they could cover their rent!
    • That adverting your referring to can basically be turned off with a few Windows settings. The only advertising I've seen in the last couple of years on Windows 11 is Outlook ads because I don't have a Microsoft 365 subscription. That said, it took me only a couple days to get used to ignoring those ads. I would prefer they weren't there but it's not a big deal.
  • Recent Achievements

    • Explorer
      Legend20 went up a rank
      Explorer
    • One Month Later
      jezzzy earned a badge
      One Month Later
    • First Post
      CSpera earned a badge
      First Post
    • One Month Later
      MIR JOHNNY BLAZE earned a badge
      One Month Later
    • Apprentice
      Wireless wookie went up a rank
      Apprentice
  • Popular Contributors

    1. 1
      +primortal
      635
    2. 2
      ATLien_0
      276
    3. 3
      +FloatingFatMan
      179
    4. 4
      Michael Scrip
      153
    5. 5
      Steven P.
      116
  • Tell a friend

    Love Neowin? Tell a friend!