Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Windows Server 2003 / Active Directory / July 2005

Tip: Looking for answers? Try searching our database.

Administer user and Contact Details in AD

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Dave Green - 29 Jul 2005 11:58 GMT
I'd like to setup one of our secretarial staff to be able to update user
details and add contact info to our AD.

Is there any security issue with making a non-administrator user a member of
the Account Operators group ? ie. does this group provide more privilege
than just administering details of the AD users and contacts ?

Our workstations are mainly Windows 2000 Pro, is there an AD management
client that runs on Win2k or will I have to provide access via remote
desktop ?

Thanks,

Dave Green
Reply to this Message
Ricardo Pistarino - 29 Jul 2005 12:28 GMT
You don't need to make her account operator (at least you want she could
change passwords, unlock accounts, create & drop users), you just need to
give her permissions to change that fields of users/contact objects. Install
ADMINPAK.MSI (from Windows Server CD), and use "active directory user and
computers" from the administrative tools menu.

> I'd like to setup one of our secretarial staff to be able to update user
> details and add contact info to our AD.
[quoted text clipped - 11 lines]
>
> Dave Green
Reply to this Message
Paul Williams [MVP] - 29 Jul 2005 13:59 GMT
In addition to this advice, download and review the Active Directory
Delegation Guide from Microsoft.  The appendix tells you exactly what
permissions are required on each object to perform the task.  You can easily
achieve what you want simply by setting permissions on the OU and domain in
question.

Signature

Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Reply to this Message
Misaro - 29 Jul 2005 17:40 GMT
Hi Ricardo I have the same situation then you said use "active directory
users and
> computers" from the administrative tools menu. but I'm not sure where to edit user permissions to change the fields.

Thanks any comments !!

> You don't need to make her account operator (at least you want she could
> change passwords, unlock accounts, create & drop users), you just need to
[quoted text clipped - 17 lines]
> >
> > Dave Green
Reply to this Message
Ricardo Pistarino - 29 Jul 2005 18:43 GMT
You can do that in two ways:

1) Use "Delegate Control" wizard (the more restrictive situation will be
grant her at OU level).
2) Switch to "Advanced View", then select the OU containing user accounts
and then right click->properties and select "security" tab.

> Hi Ricardo I have the same situation then you said use "active directory
> users and
[quoted text clipped - 28 lines]
>> >
>> > Dave Green
Reply to this Message
Dave Green - 30 Jul 2005 02:20 GMT
> I'd like to setup one of our secretarial staff to be able to update user
> details and add contact info to our AD.

Thanks for the comments and pointers.

Dave
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2010 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.