Managing AD Users

PRACTICE ! PRACTICE ! PRACTICE !

Observe the Organizational chart and make changes according to it and make the AD to match it !

Delegation

One of the nice things we can do in AD is to give specific users some control over some OUs

  • This process is known as delegation it allows you to grant users specific privileges to perform advanced tasks on OUs without needing a Domain Administrator to step in

Imagine a scenario where the marketing team or the sales team face some software issues in thier systems and it needs to be rectified in no time - Every time the Domain Admin cannot step in and solve the issue instead what if he just grants the required permissions (delegations) to the IT Support team?

Now let's assume that sophie who's from the Sales team is using a default password and the IT support guy phillip has the delegation to reset her password, how will he do it ? - So to first delegate the controls for the IT guy Phillip we'll have to add him first !

Clicking on Next, sets the required permissions or the delegations for the IT user Phillip to reset the Sales team girl sophie's password - Now let's RDP into Phillips system to unleash his powers :)

xfreerdp \v:10.10.130.92 \u:THM\phillip \p:Claire2008 \dynamic-resolution \cert-ignore

But the catch is the IT user Phillip doesn't have enough privileges to open the Active Directory Users and Computers application - So we'll have to use powershell inorder to reset sophie's password

PS C:\Users\phillip> Set-ADAccountPassword sophie -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose

New Password: rootme@321

VERBOSE: Performing the operation "Set-ADAccountPassword" on target "CN=Sophie,OU=Sales,OU=THM,DC=thm,DC=local".

So now we've successfully reset the password, but we as Phillip (IT guy) don't have any rights to communicate the Sales team sophie user, so we wouldn't want Sophie to keep on using a password we know, we can also force a password reset at the next logon

PS C:\Users\phillip> Set-ADUser -ChangePasswordAtLogon $true -Identity sophie -Verbose

VERBOSE: Performing the operation "Set" on target "CN=Sophie,OU=Sales,OU=THM,DC=thm,DC=local".
PreviousBasicsNextManaging AD Computers

Last updated