Active Directory Security for Helpdesk

[goosed]

Hey all, I'm wanting to delegate some basic AD functions to my Helpdesk users. What would be the best way to go about and do this? I've messed with delegating control in the past and never had much luck. Is there a better/easier way of doing this?

Basically I want to configure a small group of users to have access to unlock/reset passwords. Any help would be appreciated. Thanks.

 

[markdmac]

Like you I've played around with delegation for customers and found that typically they just mess things up.

I would instead recommend that you use a combination of ASP code and VBScript to give the users such access. Doing it this way you can restrict access to the web pages and allow the admin credentials to be applied behind the scenes without actually giving the users any elevated privileges.

Simple code example to Unlock a user account:

Set objUser = GetObject _
    ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")

objUser.IsAccountLocked = False
objUser.SetInfo

And to Enable an account that was disabled:

Set objUser = GetObject _
  ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")

objUser.AccountDisabled = FALSE
objUser.SetInfo

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.