Delegation not working on Account operators security group

[Aslamvs]

Hi,

we have helpdesk part of account operators and server admin in server operators group in windows 2003 active directory. I found that helpdesk can unlock any accounts but not the server operators and cant unlock the peer member account in same group. I ran the delegation whizad on domain level as well as on Ornization unit where we have both helpdesk and server operator accounte providing them full access to that OU to reset their password and unlock account, however they are still not able to do it. I think im missing something here.. please let me know your thoughts

Any help will be appretiated

Thanks,
Aslam

Aslam

 

[TechyMcSe2k]

http://technet.microsoft.com/en-us/library/bb726982.aspx

NOTE:Server Operators is a local group that allows a user to perform general administrator tasks. These tasks include sharing server resources, performing file backup and recovery, and more. As with other operator accounts, Server Operators can also log on to a server locally and shut it down. Server Operators can perform most common server administration tasks.

 

[Aslamvs]

Thanks for the information techy, however i want my account operators to unlock or reset server operators user passwords and they shud be able unlock and reset user passwords for other account operators and i tried to run the delegation on their OU and i granted them permissions to do so however this still isnt working after degation. am I missing something here?

Aslam

 

[TechyMcSe2k]

Account Operators can't manage the Administrator user account, the user accounts of administrators, or the group accounts Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Account Operators also can't modify user rights.

They would need Domain Admin Rights to do so. the problem is, AD treates Server Operators as an Administrator account. Even delgation will not allow this.

 

[Aslamvs]

The delegation should be able allow this? what will be the work around to achieve this? i dont want helpdesk to have Domain admin rights

Aslam

 

[TechyMcSe2k]

Whom ever is your DA, will have to manage the password resets for these accounts. That is the design of AD. Because if your delegated helpdesk people can change passwords to "administrative accounts" such as server operators...then what is to keep them from changing these accounts and going in to your servers maliciously...

 

[Aslamvs]

Hmm ok.. so workaround to get this done.. thats sad part i have been struggling with this since long

Aslam

 

[TechyMcSe2k]

Well, you could create a "management" account for the helpdesk to use. Give it access to acct mgmt and server operator roles. Then, if they do get a call in for the server operator account, then they can runas "that account" for dsa.msc to be able to reset those accounts. But then you are right back to open access to administrator accounts. You ight as well add the account operators group to the sever operators group. There is no clean work around.

 

[Aslamvs]

Thanks Techy, i dont want to create a generic account and share the password to helpdesk if i do this my auditor will kill me.. what if i remove helpdesk from account operators and create a security group and all of them to this new group and run the delegation whizard on domain level for account unlock, password reset and exchange tasks and crete/delete new account?

Will this work?



Aslam

 

[TechyMcSe2k]

They will still be unable to change administrators password or create an account that needs to be in a built in administrators group such as a domain admin. You will need a designated DA to perform these task. Helpdesk will put in a ticket for the DA to create the Admin account creation or even a password change for an administrator. Security of AD. In all my years as an admin there has been no work around. Unless another forum member knows of a trick to do this.