Tutorials-Win.com >> Active Directory >> Role based administration for password resets

Hello,

We have a Windows 2003 domain.We are in the process of implementing password
policy on the domain.

Currently we add helpdesk staff to server operators group for AD
administration. Is there a role based administration model in Windows 2003 so
that I can add some helpdesk staff to just reset password and not server
operators?

Thanks

Top

Re: Role based administration for password resets by Tomasz

Tomasz
Tue Jul 08 07:53:39 PDT 2008

TSAM wrote:
> Hello,
>
> We have a Windows 2003 domain.We are in the process of implementing password
> policy on the domain.
>
> Currently we add helpdesk staff to server operators group for AD
> administration. Is there a role based administration model in Windows 2003 so
> that I can add some helpdesk staff to just reset password and not server
> operators?

You can delegate password reset task to some people.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/ctrlwiz.mspx
http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en

--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)

Top

Re: Role based administration for password resets by TSAM

TSAM
Tue Jul 08 08:07:10 PDT 2008

Thanks much

"Tomasz Onyszko" wrote:

> TSAM wrote:
> > Hello,
> >
> > We have a Windows 2003 domain.We are in the process of implementing password
> > policy on the domain.
> >
> > Currently we add helpdesk staff to server operators group for AD
> > administration. Is there a role based administration model in Windows 2003 so
> > that I can add some helpdesk staff to just reset password and not server
> > operators?
>
> You can delegate password reset task to some people.
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/ctrlwiz.mspx
> http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en
>
> --
> Tomasz Onyszko
> http://www.w2k.pl/ - (PL)
> http://blogs.dirteam.com/blogs/tomek/ - (EN)
>

Top

Re: Role based administration for password resets by Jorge

Jorge
Tue Jul 08 12:15:47 PDT 2008

Amongst others, AD is all about delegating management tasks!

also see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"TSAM" <TSAM@discussions.microsoft.com> wrote in message
news:387D5ABA-288F-422A-A71E-6E3AF6CAE721@microsoft.com...
> Hello,
>
> We have a Windows 2003 domain.We are in the process of implementing
> password
> policy on the domain.
>
> Currently we add helpdesk staff to server operators group for AD
> administration. Is there a role based administration model in Windows 2003
> so
> that I can add some helpdesk staff to just reset password and not server
> operators?
>
> Thanks

Top

Re: Role based administration for password resets by Brandon

Brandon
Tue Jul 08 18:50:14 PDT 2008

TSAM wrote:
> Hello,
>
> We have a Windows 2003 domain.We are in the process of implementing password
> policy on the domain.
>
> Currently we add helpdesk staff to server operators group for AD
> administration. Is there a role based administration model in Windows 2003 so
> that I can add some helpdesk staff to just reset password and not server
> operators?
>
> Thanks

Unfortunately ADS doesn't support roles like other directory servers do
(e.g. Netscape) but you can do a lot with the security groups.
Unfortunately these security groups can only act as a role with respect
to the Windows OS. Roles, when properly done, can be utilized across any
application, not just an OS. As long as you stick to needing a "role"
within the Windows OS and the AD environment you are fine with using
regular security groups.

Top