What permissions are needed for a helpdesk admin to create users in AD?

active-directory

What permissions are needed for a helpdesk admin to create users in AD? I don't want this person to be a domain administrator, we have 2003 DCs.


Solution 1:

Try using Delegate control as i think this will be the solution for fine tuning this access.

Setup the helpdesk admin as a security group in ADUC if not already in place and from there you can then go to view/advanced options, right click an OU to be more specific or the domain as a whole, specify which rights (add users) and include the security group.

Take a look at http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/d7ad344d-0fcf-4a80-9fe0-cac802df25bb for reference.

Solution 2:

It's preferable to do this at the OU level by delegating control as Nicholas indicates. If you need to give them the ability to create and manage user accounts and groups everywhere, then there is the BUILTIN\Account Operators group. This group functions like it did in NT4. Because of that, it probably has too many rights for what you're looking for, but I mention it because sometimes that is exactly what folks want, especially when putting in permissions through a 3rd party product.

Related

How do I locate a high-pitched screetching sound in my server room?
Run shell script on a command
Would unplugging a drive simulate a drive failure?
Why are there so many processes running?
Is there a way to determine if a SAMBA share has open files?
Getting contact list from IMAP server
Determine RAM type in debian server
Postfix - How to process inbound emails?
Split a ZFS clone?
Perl 5.10 on CentOS 5?
Cannot access javascript folder
Server 2008 R2 requires 2 disks to boot