| Line 10: | Line 10: | ||
=== Password Reset === | === Password Reset === | ||
In order to allow another user to perform a password reset you need to set the following permissions:<br> | In order to allow another user to perform a password reset you need to set the following permissions:<br> | ||
| − | Type: Allow | + | Type: Allow |
| − | Applies To: Descendant User Objects | + | Applies To: Descendant User Objects |
| − | Permissions: Reset password | + | Permissions: Reset password |
Optionally if you want to allow the user to set 'Require password change at next logon' set these permissions as well:<br> | Optionally if you want to allow the user to set 'Require password change at next logon' set these permissions as well:<br> | ||
| − | Type: Allow | + | Type: Allow |
| − | Applies To: Descendant User Objects | + | Applies To: Descendant User Objects |
| − | Properties: Read pwdLastSet | + | Properties: Read pwdLastSet |
| − | Properties: Write pwdLastSet | + | Properties: Write pwdLastSet |
=== Unlock Account === | === Unlock Account === | ||
In order to allow another user to unlock an account set the following permissions:<br> | In order to allow another user to unlock an account set the following permissions:<br> | ||
| − | Type: Allow | + | Type: Allow |
| − | Applies To: Descendant User Objects | + | Applies To: Descendant User Objects |
| − | Properties: Read lockoutTime | + | Properties: Read lockoutTime |
| − | Properties: Write lockoutTime | + | Properties: Write lockoutTime |
=== Join/Re-Join Computer to Domain === | === Join/Re-Join Computer to Domain === | ||
| − | Type: Allow | + | Type: Allow |
| − | Applies To: This object and all descendant objects | + | Applies To: This object and all descendant objects |
| − | Permissions: Create computer objects | + | Permissions: Create computer objects |
| − | Type: Allow | + | Type: Allow |
| − | Applies To: Descendant Computer Objects | + | Applies To: Descendant Computer Objects |
| − | Permissions: Reset password | + | Permissions: Reset password |
| − | Type: Allow | + | Type: Allow |
| − | Applies To: Descendant Computer Objects | + | Applies To: Descendant Computer Objects |
| − | Permissions: Validated write to DNS host name | + | Permissions: Validated write to DNS host name |
| − | Permissions: Validated write to service principal name | + | Permissions: Validated write to service principal name |
| − | Type: Allow | + | Type: Allow |
| − | Applies To: Descendant Computer Objects | + | Applies To: Descendant Computer Objects |
| − | Properties: Read account restrictions | + | Properties: Read account restrictions |
| − | Properties: Write account restrictions | + | Properties: Write account restrictions |
=== Move Computer Object === | === Move Computer Object === | ||
| − | Type: Allow | + | Type: Allow |
| − | Applies To: This object and all descendant objects | + | Applies To: This object and all descendant objects |
| − | Permissions: Create computer objects (on the destination OU) | + | Permissions: Create computer objects (on the destination OU) |
| − | Permissions: Delete computer objects (on the source OU) | + | Permissions: Delete computer objects (on the source OU) |
| − | Type: Allow | + | Type: Allow |
| − | Applies To: This object and all descendant objects | + | Applies To: This object and all descendant objects |
| − | Permissions: Write all properties | + | Permissions: Write all properties |
''Note 1: On the default 'Computers' container, you may need to remove the ''' 'Everyone: Deny Delete all child objects' ''' before you can move computer objects on of this container.'' | ''Note 1: On the default 'Computers' container, you may need to remove the ''' 'Everyone: Deny Delete all child objects' ''' before you can move computer objects on of this container.'' | ||
''Note 2: I found a situation where you may also need the ''' 'Delete Subtree' ''' permission as well if the computer object contains subobjects.'' | ''Note 2: I found a situation where you may also need the ''' 'Delete Subtree' ''' permission as well if the computer object contains subobjects.'' | ||
| + | |||
Revision as of 00:07, 10 November 2017
Contents
Overview
Active Directory objects and their attributes have permissions just like files on a file server. You can assign permissions to non-admin accounts to perform certain tasks. A common use case for this is a Help Desk. Often times the Help Desk will need the ability to reset a users's password, or unlock an account because of too many failed logon attempts.
Delegate Control
Microsoft has created a wizard for setting AD permissions as described above, this wizard is called 'Delegate Control' and it can be accessed by right clicking an object within Active Directory Users and Computers (ADUC for short).
Password Reset
In order to allow another user to perform a password reset you need to set the following permissions:
Type: Allow Applies To: Descendant User Objects Permissions: Reset password
Optionally if you want to allow the user to set 'Require password change at next logon' set these permissions as well:
Type: Allow Applies To: Descendant User Objects Properties: Read pwdLastSet Properties: Write pwdLastSet
Unlock Account
In order to allow another user to unlock an account set the following permissions:
Type: Allow Applies To: Descendant User Objects Properties: Read lockoutTime Properties: Write lockoutTime
Join/Re-Join Computer to Domain
Type: Allow Applies To: This object and all descendant objects Permissions: Create computer objects
Type: Allow Applies To: Descendant Computer Objects Permissions: Reset password
Type: Allow Applies To: Descendant Computer Objects Permissions: Validated write to DNS host name Permissions: Validated write to service principal name
Type: Allow Applies To: Descendant Computer Objects Properties: Read account restrictions Properties: Write account restrictions
Move Computer Object
Type: Allow Applies To: This object and all descendant objects Permissions: Create computer objects (on the destination OU) Permissions: Delete computer objects (on the source OU)
Type: Allow Applies To: This object and all descendant objects Permissions: Write all properties
Note 1: On the default 'Computers' container, you may need to remove the 'Everyone: Deny Delete all child objects' before you can move computer objects on of this container.
Note 2: I found a situation where you may also need the 'Delete Subtree' permission as well if the computer object contains subobjects.
Reference
https://technet.microsoft.com/en-us/library/cc754542(v=ws.11).aspx
https://morgansimonsen.com/2013/12/17/delegating-computer-object-management-tasks-2/