Delegation

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I want to delegate the User account management tasks in Active Directory
Domain to Helpdesk agents.
For this activity I am using the builtin group called Account operators but
after adding helpdesk agents User ID into Account operators group he is able
to change the password of all domain admin accounts,delete them,rename etc.In
short he is able to do all activities on domain admin accounts and I want he
should not able to do anything with domain admin accounts but he should
continue to do the delgated task on all othe user accounts.

Even I tried with delegation wizard on main domain tree but still the
results are the same.
Can anybody suggest better method or any schema modifications?

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Best bet is to move your Domain Admin Accounts to a different OU, and don't
delegate authority to that OU. You can remove delegations by right-clicking
on the OU, click Security, and then remove anything you don't want delegated.
You might have to turn off inheritance.

"Sharadkumar" wrote:

> I want to delegate the User account management tasks in Active Directory
> Domain to Helpdesk agents.
> For this activity I am using the builtin group called Account operators but
> after adding helpdesk agents User ID into Account operators group he is able
> to change the password of all domain admin accounts,delete them,rename etc.In
> short he is able to do all activities on domain admin accounts and I want he
> should not able to do anything with domain admin accounts but he should
> continue to do the delgated task on all othe user accounts.
>
> Even I tried with delegation wizard on main domain tree but still the
> results are the same.
> Can anybody suggest better method or any schema modifications?