Solved: How to Delegate Access for your Helpdesk or Servicedesk In Active Directory–Page 2

Creating your users

As seen below create new user with an adm prefix.
I’ve created an OU called Domain_Administration and created all my adm users and groups in here.

Creating the groups

This step is pretty self explanatory. Create your groups that you have previously defined and add your users to the relevant group.

Defining the rights for the Level 1 Support

This gives them the ability to
  • Change passwords
  • reset password
  • unlock users
  • read all the attributes of an AD user
That’s generally all you want from your helpdesk. If there are others please leave your comment.

  1. Open Active Directory Users and Computers (ADUC)
  2. Enable Advanced features or you wont see the security tab mentioned in the steps to come


  3. Navigate to your users OU that support level 1 will manage,Right Click and Click Properties then click the Security tab

  4. Click Advanced
  5. Click Add
  6. Specify your group then click OK
  7. On the Object Tab select This object and all descendant objects
  8. Click Allow for:
    • Read All properties
  9. On the drop down select Descendant User Objects and Allow the following:
    • Change Password
    • Reset Password

  10. On the drop down select Descendant User Objects and Allow the following:
    • Read lockoutTime
    • Write lockoutTime (Allows them to unlock a users account)

Thats it! You have just granted your level 1 support all the writes/permissions they need to do their job without putting the business at risk by giving them domain admin rights. They also have an adm account,used for administration,which is separate from their daily,general use account
Next we use a slightly different method to delegate the Level 2 Desktop Engineers permissions

button (2) button (1)


Copyright © 2013 The Funky Tech Guy ™ is a registered trademark.

Designed by Templateism . Built with Blogger Templates .