Announcement

Collapse
No announcement yet.

User hirarchy for AD

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • User hirarchy for AD

    Hi ,

    We are using Windows server 2012 , Hyper V role is installed . We have create a AD Server inside it.

    Now , we are in plan to add one more administrator account , so that he can manage some of the task , while original administrator is not there. So , is it possible to create a same user with administrator privileges but he will not be able to change the original administrator Users password...

    What are the best suggestion in this scenario..

    Thanks,

  • #2
    Re: User hirarchy for AD

    No - a domain administrator can change other domain admins passwords. You will have to look into user rights or AD delegation of control and give the abilities you want.
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: User hirarchy for AD

      Hi ,

      Thanks for your quick reply...

      Can you please elaborate more on AD Delegation of control and how to implement it..

      Thanks..

      Comment


      • #4
        Re: User hirarchy for AD


        https://www.google.com/search?btnG=1...rol&gws_rd=ssl
        Do a bit of reading and let us know if you have questions.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: User hirarchy for AD

          Hi ,

          I need to have 1 more account in my DC , and He can perform this operations mentioned below.

          1. He can join the systems and server with a dc.
          2. He can create a folder sharing for some users
          3. He must not be able to change the password for any of the user account in a AD. or at least can not change the password for Administrator account , so that an administrator have always a power to login to server and even remove the junior admin account anytime.

          Thanks,

          Comment


          • #6
            Re: User hirarchy for AD

            Originally posted by kathy View Post
            ...
            3. He must not be able to change the password for any of the user account in a AD. or at least can not change the password for Administrator account , so that an administrator have always a power to login to server and even remove the junior admin account anytime.

            Thanks,
            This Spiceworks post may be useful. The last section specifically answers Q3:
            http://community.spiceworks.com/how_...-your-it-staff
            A recent poll suggests that 6 out of 7 dwarfs are not happy

            Comment


            • #7
              Re: User hirarchy for AD

              use the delegate permissions wizard.

              setup an ou called "Company" (call it CheeseFeatures if you want)
              below company Setup an ou called "Computers" (Call it OrangeJuice even)
              below company Setup an ou called "Users" (it could even be called "regurgitatedchewinggum)
              below company setup an OU called "administrators" (actually call it Monkeybrain if you want)

              Put the Administator accounts in the administrators OU
              use Delegate Authortity wizard to delegate authority to Computers, Users.
              Do not delegate authority to ADministrators OU

              that'll do it.
              Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

              Comment


              • #8
                Re: User hirarchy for AD

                Originally posted by Ossian View Post
                No - a domain administrator can change other domain admins passwords. You will have to look into user rights or AD delegation of control and give the abilities you want.
                I do remember NT 4.0 Server having the ability to create a "junior administrator". Actually not quite correct but you were able to create an administrator account and remove the ability of trainee administrator from doing things like being able to edit the Registry. Knowing how MS loves to leave legacy shit in their software (ergo Edlin.com), I would not be surprised if this option was still available.

                I will go looking once I have rebuilt my crumbling Windows 7 machine.
                1 1 was a racehorse.
                2 2 was 1 2.
                1 1 1 1 race 1 day,
                2 2 1 1 2

                Comment


                • #9
                  Re: User hirarchy for AD

                  Originally posted by kathy View Post
                  Hi ,

                  I need to have 1 more account in my DC , and He can perform this operations mentioned below.

                  1. He can join the systems and server with a dc.
                  2. He can create a folder sharing for some users
                  3. He must not be able to change the password for any of the user account in a AD. or at least can not change the password for Administrator account , so that an administrator have always a power to login to server and even remove the junior admin account anytime.

                  Thanks,
                  1) All users have the right to join up to 10 computers to the domain (this value can be changed)
                  2) Local administrator will do this (IIRC Server Administrator on DCs)
                  3) Don't delegate any permissions, or use delegation and OUs as tehcamel says
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment

                  Working...
                  X