Delegate Administration Priviledges to Junior Admins

View Current Delegated Permissions:

MMC Concole >> View Advanced Features >> Right-click desired OU, Properties >> Security tab >> Advanced button >> Check whether any custom group or user has been given special permissions >> remove single user permissions

 

Create a security group in Active Directory:

Run Active Directory Users and Computers >> select desired OU and create a security group >> add IT personnel into that group

 

Delegate AD permissions to IT Group:

Run Active Directory Users and Computers >> Right-click the domain name >> Delegate Control >> Next >> Add >> Select desired IT group(s) >> OK >> Next >> select “Create a custom task to delegate” >> Choose “Only the following objects in the folder” >> Choose the “User objects” and Check the box of “Create selected object in this folder” >> clear General check box >> select Property-specific >> check the following items:

 

Read/Write Assistant, carLicense, comment, Company,Department, Description, desktopProfile, Direct Reports, DisplayName, Division, E-mail Address, Employee ID, employeeNumber, employeeType, First Name, fobSerial, Home Address, Home Drive, Home Folder, Home Phone, Home Phone Number, IP Phone Number, Job Title, jpegPhoto, lastLogonTimestamp, loginShell, Logon Name, Logon Workstations, logonHours, logonWorkstation, Manager, Member Of, Middle Name, Mobile Phone number, msTSAllowLogon, msTSBrokenConnectionAction, msTSConnectClientDrives, msTSConnectPrinterDrives, msTSDEfaultToMainPrinter, msTSHomeDirectory, msTSHomeDrive, msTSIntialProgram, msTSPrimaryDesktop, msTSprofilePath, msTSReconnectionAction, msTSRemoteControl, msTSSecondaryDesktops, msTSWorkDirectory, name, Notes, Phone Number, photo, Post Office Box, postalAddress, profilePath, roomNumber, scriptPath, serialNumber, street, Street Address, Telephone Number, thumbnailLogo, thumbnailPhoto, Title, unixHomeDirectory, unixUserPassword, userSharedFolder, userSharedFolderOther, Zip/Postal Code

 

click Finish  >> right click the domain or OU again >> Delegate Control >>  Next >> Add >> Select desired IT group(s) >> OK >> Next >> select “Create a custom task to delegate” >> Choose “Only the following objects in the folder” >> Choose the “User objects” and Check the box of “Create selected object in this folder” >> Next >> Check “Change Password” >> Finish

 

Delegate computer renaming

Run Active Directory Users and Computers >> Right-click the domain name >> Delegate Control >> Next >> Add >> Select desired IT group(s) >> OK >> Next >> select “Create a custom task to delegate” >> Choose “Only the following objects in the folder” >> Choose the “Computer objects” and Check the box of “Create selected objects in this folder” and “Delete selected objects in this folder” >> check boxes “Reset Password”, “Validated write to service principal name”, “Read and write Account Restrictions”, “Validated write to DNS host name”, and “Write All Properties” at the last sequence >> Next >> Finish

 

Allow RDP Access to Servers:

 

Create a new GPO named “RDP for Operations Team” with these settings:

 

Computer configuration >> Policies >> Windows Settings >> Security Settings >> Restricted Groups >> Right-click, Add GB-Operations >> OK >> Click Add on “This group is a member of” >> click Browse >> type in “Remote Desktop Users” >> OK >> repeat process for Domain Admins

 

Edit GPO >> Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> Edit “Allow log on through Remote Desktop Services,” “Allow Logon Locally,” and “Shutdown the system” >> Add “GB-Operations,” “Domain Admins,” and “Administrators” groups onto the list