(Created page with "== Overview == Active Directory objects and their attributes have permissions just like files on a file server. You can assign permissions to non-admin accounts to perform cer...") |
|||
| Line 27: | Line 27: | ||
Properties: Read lockoutTime | Properties: Read lockoutTime | ||
Properties: Write lockoutTime | Properties: Write lockoutTime | ||
| + | |||
| + | |||
| + | == Join/Re-Join Computer to Domain == | ||
| + | Type: Allow | ||
| + | Applies To: This object and all descendant objects | ||
| + | Permissions: Create computer objects | ||
| + | |||
| + | Type: Allow | ||
| + | Applies To: Descendant Computer Objects | ||
| + | Permissions: Reset password | ||
| + | |||
| + | Type: Allow | ||
| + | Applies To: Descendant Computer Objects | ||
| + | Permissions: Validated write to DNS host name | ||
| + | Permissions: Validated write to service principal name | ||
| + | |||
| + | Type: Allow | ||
| + | Applies To: Descendant Computer Objects | ||
| + | Properties: Read account restrictions | ||
| + | Properties: Write account restrictions | ||
| + | |||
| + | |||
| + | == Move Computer Object == | ||
| + | Type: Allow | ||
| + | Applies To: This object and all descendant objects | ||
| + | Permissions: Create computer objects (on the destination OU) | ||
| + | Permissions: Delete computer objects (on the source OU) | ||
| + | |||
| + | Type: Allow | ||
| + | Applies To: This object and all descendant objects | ||
| + | Permissions: Write all properties | ||
| + | |||
| + | ''Note: I found a situation where you may also need the ''' 'Delete Subtree' ''' permission as well if the computer object contains subobjects.'' | ||
| Line 35: | Line 68: | ||
https://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx | https://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx | ||
| + | https://morgansimonsen.com/2013/12/17/delegating-computer-object-management-tasks-2/ | ||
[[Category:Active Directory]] | [[Category:Active Directory]] | ||
Revision as of 00:02, 10 November 2017
Contents
Overview
Active Directory objects and their attributes have permissions just like files on a file server. You can assign permissions to non-admin accounts to perform certain tasks. A common use case for this is a Help Desk. Often times the Help Desk will need the ability to reset a users's password, or unlock an account because of too many failed logon attempts.
Delegate Control
Microsoft has created a wizard for setting AD permissions as described above, this wizard is called 'Delegate Control' and it can be accessed by right clicking an object within Active Directory Users and Computers (ADUC for short).
Password Reset
In order to allow another user to perform a password reset you need to set the following permissions:
Type: Allow
Applies To: Descendant User Objects
Permissions: Reset password
Optionally if you want to allow the user to set 'Require password change at next logon' set these permissions as well:
Type: Allow
Applies To: Descendant User Objects
Properties: Read pwdLastSet
Properties: Write pwdLastSet
Unlock Account
In order to allow another user to unlock an account set the following permissions:
Type: Allow
Applies To: Descendant User Objects
Properties: Read lockoutTime
Properties: Write lockoutTime
Join/Re-Join Computer to Domain
Type: Allow Applies To: This object and all descendant objects Permissions: Create computer objects
Type: Allow Applies To: Descendant Computer Objects Permissions: Reset password
Type: Allow Applies To: Descendant Computer Objects Permissions: Validated write to DNS host name Permissions: Validated write to service principal name
Type: Allow Applies To: Descendant Computer Objects Properties: Read account restrictions Properties: Write account restrictions
Move Computer Object
Type: Allow Applies To: This object and all descendant objects Permissions: Create computer objects (on the destination OU) Permissions: Delete computer objects (on the source OU)
Type: Allow Applies To: This object and all descendant objects Permissions: Write all properties
Note: I found a situation where you may also need the 'Delete Subtree' permission as well if the computer object contains subobjects.
Reference
https://technet.microsoft.com/en-us/library/cc754542(v=ws.11).aspx
https://morgansimonsen.com/2013/12/17/delegating-computer-object-management-tasks-2/