Greetings, and welcome to the best place on the Internet to get help on AD. No question is too new or old IMHO. The way it works here is that you must be self managed, and when someone answers your question, you say thank you... Then if you ever see the same question asked, respond with the information you obtained, adding any relevant materials and experiences of your own.
Your question seems rather basic. The simple solution is to create a group, use the delegation of control Wizard in AD Users and Computers on the OU and delegate the responsibilities you want the group to do. Then add users to the group, and give the users a MMC that has AD Users and computers snap-in. For added security. Create a Task View/pad in the MMC, that only lets the user see the areas in the AD that they can manage. I recommend that you stand up a testing AD that has a AD, and a Workstation with the Admin tools on it. The Admins who create the delegations are considered the "Directory Administrators. The Admins that are delegated management tasks are the "Data Administrators". One you can create a Delegation as a DirAdmin then login as the Data Admin and try to do the work. It will take trial and error. You might need some practice dealing with ACE's and stuff. Also when users move in the directory, it is important to check and verify what ACE's transferred with them to make sure the user still has the same access. If you don't have two machines, I highly recommend that you use VMWare 4.0 to simulate your environment. Below are several articles I recommend that you review if you want more background information, or need additional references or tools to help you in your delegation. Good Luck Toddler http://www.winnetmag.com/Articles/Index.cfm?ArticleID=9646 AD Delegation of control wizard http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag01/ html/BeyondtheActiveDirectory.asp Beyond the AD Delegation Wizard. http://www.aelita.com/library/whitepapers/AD_SIDH/Best_Practices_for_Designi ng_Secure_Active_Directory.pdf Best Practices in AD Security http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com: 80/support/kb/articles/Q235/5/31.ASP&NoWebContent=1 Security Concerns in AD Delegation Wizard http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/ad/windows2000/plan/bpaddsgn.asp Best Practices on AD and Delegation http://computing.astate.edu/win2k/GoalsnObjectives/Appendix%20E%20Delegation %20of%20Administration.htm Nice Synthesis Books on the Topic http://www.amazon.com/exec/obidos/tg/detail/-/0596004664/qid=1065119839/sr=8 -1/ref=sr_8_1/002-8836076-8329625?v=glance&s=books&n=507846 AD Second Edition - Robbie Allen http://www.amazon.com/exec/obidos/tg/detail/-/1565924916/ref=pd_bxgy_img_2/0 02-8836076-8329625?v=glance&s=books LDAP http://www.amazon.com/exec/obidos/ASIN/0596004648/qid%3D1065119941/sr%3D11-1 /ref%3Dsr%5F11%5F1/002-8836076-8329625 AD Cookbook http://www.amazon.com/exec/obidos/tg/detail/-/1578702429/qid=1065119839/sr=5 -2/ref=cm_lm_asin/002-8836076-8329625?v=glance Windows 2000 Design and Deployment http://www.amazon.com/exec/obidos/ASIN/0782128815/qid=1065120129/sr=2-1/ref= sr_2_1/002-8836076-8329625 Group Policies and Intellimirror http://www.amazon.com/exec/obidos/tg/detail/-/0321133455/qid=1065120092/sr=1 -1/ref=sr_1_1/002-8836076-8329625?v=glance&s=books Admin 911 Group Policies http://www.amazon.com/exec/obidos/tg/detail/-/0072129484/ref=pd_sim_books_1/ 002-8836076-8329625?v=glance&s=books Troubleshootin Microsoft Technologies Recommended Software (Major Players) www.aelita.com Enterprise Directory Administrator I currently use this and it won .Net Magazine's Award for best management tool. Great Web and 32bit console. Sports layered security model for delegation. Optimizes AD and can be used to manage multiple forest. www.bindview.com BV-Admin Some organizations where I work use this tool www.quest.com Active Roles Evaluated the software, and it set the standard for Native Role based delegation. -----Original Message----- From: Shadow Roldan [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 11:48 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] hello and a question Hi I'm new to the list so excuse me if I come across as a lame-o! We have a win2k environment w/ exchange 2k. There's only one little problem I'm having with active directory, we would like to have our Admins (read administrative assistants, not sys-admins) do the chores of maintaining the active directory user information. i.e, updating a user's business phone, cell phone, address, etc. However, this person cannot have access to change anything else, such as disabling an account, adding an email address etc. I cannot, for the life of me, figure out how to assign permissions just so... Any advice would be greatly appreciated. -- Shadow Roldan IT Manager Zero G Software, Inc. tel:� 1-415-512-7771 x306 cell:� 1-415-370-3782 mailto: [EMAIL PROTECTED] www.ZeroG.com The leading provider of multi-platform software deployment solutions. -- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
