Hi there,
What permissions should I assign to a remote user that needs to be
able to:
-login locally to an AD server to manage users like reseting passwords
and check backups on the server.
All our organization is under one OU and this server/user is on a
different site.
Thank you, T

In news:e4786a57-8ddf-4b01-9cc6-e8ebf97e862e@e67g2000hsa.googlegroups.com,
Tester <calinguga@netscape.net> typed:
Logon Locally Rights to the DC. Better yet, allow them to VPN in and only
remote into their own desktop and open their custom MMC that you've
pre-created for him/her to administer the OU you've delegated the
permissiong to him/her to perform these tasks (assuming you did it this
way).

If not, have you already delegated the perms to the OU?

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

Hi Ace,
How I go about delegating permissions to OU to other users, but with
limited access? Thank you, T

In news:4dc271b9-baac-402c-bcb8-7914835408c5@m73g2000hsh.googlegroups.com,
Tester <calinguga@netscape.net> typed:
Breaking up your users into multiple OUs sounds like a better plan for
starters. Put users in that you want your delegates to reset passwords or
other task while moving others out, such as the CEO, execs, etc. Besdies,
properly designing an OU design is best practice. There are a few design
models, depending on your company's organizational layout, business model
and locations (locally or global).

Time for some reading...

Step A1: Design the OU Structure:
http://technet.microsoft.com/en-us/l.../cc268206.aspx

AD Organizational Unit Design Principles:
http://msforums.ph/blogs/jpaloma/arc...rinciples.aspx

Tom Shinder's Blog: OU Design to Support Security Group Policy:
http://blogs.windowsecurity.com/shin...-group-policy/

Use the Delegation Wizard in AD to delegate the ability to reset passwords,
change certain attributes, etc. Right-click the OU, select Delegate. The
Options are too much to go over here. Same with making a custom MMC for them
so they can only see that OU and nothing else. You can also simply add them
to the Account Operators group to give them a blanket of admin tasks on the
whole domain.

Best Practices for Delegating Active Directory Administration (this has
multiple pages)
http://www.microsoft.com/technet/pro...y/actdid1.mspx

Implementing Active Directory Delegation of Administration (good article):
http://www.windowsecurity.com/articl...istration.html

And some more reading:
Download details Best Practices for Delegating Active Directory
Administration:
http://www.microsoft.com/downloads/d...displaylang=en
or easier if the above URL line-wrapped:
http://tinyurl.com/vzlg

As for checking and administering backups on a DC, that is not a delegation
option, but rather they need Logon Locally on the DC (Start/Programs/Admin
Tools/Domain Controller Policy) as well as putting them in the DC's Local
Backup group, which should also work with a third party DR solution
(Veritas, etc) but you have to double check. Veritas may require the user
have local admin rights.

What is the Backup Operator?
http://www.monitorware.com/Common/en...pOperators.php

Securing Active Directory Administrative Groups and Accounts (goes over the
different types of groups available that can perform certain tasks on a
machine):
http://www.microsoft.com/technet/sec...in_groups.mspx

If you want to delegate Exchange server admin tasks, this is more
complicated and a whole other topic. One needs to understand AD permissions
at the attribute level first prior to understanding how to delegate specific
tasks in Exchange. It has a delegation wizard too, but that doesn't give
them the AD rights and permissions they need to work on user accounts and
other mail-enabling capable objects.

Ace