question

GrzegorzGoljanek-9455 avatar image
1 Vote"
GrzegorzGoljanek-9455 asked ·

What permissions to manage snap-in computers and users in AD (WS2019)

Hello all! I need a little help. I have a new colleague and i need to give him permissions to access to snap-in users and computers in AD. I've tested settings in polices, delegations, and groups but it doesn't work. Local admin to - he is local admin now. I don't want to make him domain admin. I do something wrong - what permissions should I give in WS 2019 ? Thank you in advance Greg

windows-server-security
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
1 Vote"
FanFan-MSFT answered ·

Hi,
If the user need to create new user, add to group, change password etc, you can use the delegation control to grant proper permissions without add it to admins group.
Right click the domain name or OUs which you want to assign permission:
56474-1141.jpg
56299-1142.jpg
Select the permission you want to assign, or you can try to customer a task:
56486-1143.jpg



1141.jpg (52.0 KiB)
1142.jpg (57.4 KiB)
1143.jpg (51.3 KiB)
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
1 Vote"
FanFan-MSFT answered ·

Hi,
Based on my understanding ,you want to assign permission to a user to access the ADUC from a member server or workstation, right?
It don't need the domain admin permission to do this.
The default security is read for Authenticated Users. As following:
55510-1121.jpg

For the special permissions is :read permission and read all properties permission.

If you don't have the permission, we need to assign the permission the users.
Right click the domain name or OU name from ADUC on DC.
From the security ,add the user and assign the permission as above screenshot showing .




Best Regards,



1121.jpg (158.4 KiB)
· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.
 
Best Regards,

0 Votes 0 ·
GrzegorzGoljanek-9455 avatar image
0 Votes"
GrzegorzGoljanek-9455 answered ·

Hello!
Thank you for your answer.
There is no problem with access to this snap-in. Look at your picture - (everyone - Read all properties)

But I forgot to say that is new administrator (junior) and He need to do admin work on users account on serwer. I mean he need create new user, add to group, change password etc, etc. Now he have only read. If I'll put his account in domain admin group, he can do what he need, but I don't want to do yet. Is another way to do it?

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered ·

Hi,

You can delegate the admin account to manage user and computer accounts on each OU level using wizard delegation :
56285-image.png

You can refer to the links below :

delegating-administration-by-using-ou-objects

delegate-permission-reset-ad-user-account-passwords



Please don't forget to mark helpful reply as answer



image.png (165.2 KiB)
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GrzegorzGoljanek-9455 avatar image
1 Vote"
GrzegorzGoljanek-9455 answered ·

Thank You, works great!

Echm ... but is possible to revoke this delegation? :DDD

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GrzegorzGoljanek-9455 avatar image
1 Vote"
GrzegorzGoljanek-9455 answered ·

Thameur-BOURBITA - I've found - Security :D

Thank you again !

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GrzegorzGoljanek-9455 avatar image
0 Votes"
GrzegorzGoljanek-9455 answered ·

All works great! Thank you.
But I wonder how I can check what does he do in snap-in computers and users. Its possible to check it?
Have you maybe any any idea?

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered ·
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.