How to delegate password reset permissions for your IT staff
Thanks to: https://community.spiceworks.com/
One of the strengths of Active Directory, or at least the management part of it, is the capability to delegate permissions to modify various aspects of the directory to your lower privileged users.
To this end, many IT shops grant the capability to reset user passwords to their support desks or managers over certain departments.
Here's how to set up delegation for a group of users to have the capability of setting passwords for another subset of users in a particular OU.
If you don't have an OU structure that is somewhat tidy (i.e. your users aren't arranged in some logical structure), then you may have some problems determining how to properly implement this.
I suggest you take a look at your OU layout and determine what works best for you.
You can check your 'Administrative Tools' group in your Windows Start Menu to determine if you have the icon labeled 'Active Directory Users and Computers'. If so, skip to the next step.
It is recommended to do this from your workstation, so find your specific set of RSAT tools here: https://wiki.samba.org/index.php/Installing_RSAT
*** I realize that is a site for Samba, but they keep a nice, updated, and consolidated list as opposed to Microsoft!
If you want, you can also perform these steps from your Domain Controller.
Open the ADUC, find your domain tree and browse to the topmost level that you wish to apply user permissions (for example, 'Domain users' at my workplace), right-click > 'Delegate Control'.
At the Welcome dialog, click 'Next'.
At the Users or Groups dialog, click the 'Add...' button. You will be prompted to add a user or group to which you will apply delegated rights.
At the Select Users, Computers, or Groups dialog, either type the name of the object (use domain\username or domain\groupname for best results) or click 'Advanced'> 'Find' to locate your resource you wish to apply permissions to.
Once you've selected your resource(s), click 'OK' at the Select Users, Computers, or Groups dialog, then click 'Next' at the Users or Groups dialog.
At the Tasks to Delegate dialog, you can select from a wide assortment of tasks to assign to your users.
***** If you ONLY want to delegate the reset password task ****
Verify that 'Delegate the following common tasks' radio button is ticked and select 'Reset user passwords and force password change at logon' and click the 'Next' button.
Verify that 'Delegate the following common tasks' radio button is ticked and select 'Reset user passwords and force password change at logon' and click the 'Next' button.
Continue to step 4.
**** If you additionally want to delegate the ability to enable/disable user accounts ****
Tic the 'Create a custom task to delegate' radio button and click the 'Next' button.
Tic the 'Create a custom task to delegate' radio button and click the 'Next' button.
Tic the 'Only the following objects in the folder' radio button, and select 'User objects' and click the 'Next' button.
At the 'Permissions' dialog, select the 'General' and 'Property-specific' checkboxes and in the list below, check the following permissions:
Change Password
Reset Password
Read userAccountControl
Write userAccountControl
Reset Password
Read userAccountControl
Write userAccountControl
Click the 'Next' button.
Once you've finished delegating your tasks, you can click the 'Finish' button at the Completing the Delegation of Control Wizard dialog.
Now the users you delegated these tasks to should be able to reset passwords (or perform other actions you specified) on the objects in the OU where you set up the delegated permissions.
Removing permissions that have improperly been applied is not the same process as applying them. You can remove permissions by right-clicking the OU where you applied the delegated permissions > 'Properties'. Click the 'Security' tab.
Click the 'Advanced' button.
You will be brought to the Advanced Security Settings for Domain Users dialog.
In the section marked 'Permission entries', find the group or user you delegated your permissions to. Highlight the object, then click 'Remove'. If you applied your permissions at a higher level in the OU structure, you will not be able to remove them from this level without breaking security inheritance (which I would NOT recommend). Simply go up another level in the OU structure and check the permissions there.
I've found that the best way of doing this (others can comment on this!) is to create a sub-OU under the OU structure you've applied your permissions and then explicitly deny permissions at that level...let's use our Network admins as an example.
In my OU structure, I have an OU called 'IT', then I created a new OU underneath that called 'Network Administrators'.
Right-click the 'Network Administrators' OU> 'Properties', then click the 'Security' tab. Click the 'Advanced' button, then double-click the resource you delegated your permissions to.
You can then deny delegated users of any password changes, etc. by finding the appropriate permission in the 'Permissions' listing and clicking the 'Deny' checkbox for each one respectively.
In this example, Domain Admins still retain the ability to change/reset passwords for our Network Administrator accounts, but the IT Support group (in our example) does not.
Delegating permissions is a very good way to empower your help desk, managers or other power users to help you with some of the IT tedium that can consume your day, making it difficult to concentrate on important or other interesting tasks.
Comentarios
Publicar un comentario
Dime si la información de este blog te sirvio.