Delegate AD permissions to HR.

Similar Messages

• Hyper-V 2012 R2 Console Permissions

  Hi guys
  I asked this question before, but i'm not sure i phrased it correctly. It is now extremely critical I find some kind of answer, so i though i'd try and break it down a bit more in a new thread. 
  - Previously, in Windows 2008 R2, you could delegate per VM Hyper-V console permissions using AzMan. This worked great. 
  - In 2012 R2 this does not seem to be possible. AzMan is now deprecated. Fine. I get this. 
  - What is now possible is that a user be a member of the Hyper-V administrators groups, this grants console access to all VMs. All previous mechanisms of obtaining console access work using any user that is a member of this group. 
  - If you wish to delegate console permissions that are granular to a single VM in 2012 R2, how do you do this? Is it even possible now?
  - I am not using SCVMM, and will not be using SCVMM at any point in the future, although the real issue here is the scoping of permissions. So if SCVMM can do it somehow, it must be delegating permissions some how?
  Thanks for your time. Really appreciate it. 

  Hi Hob_Gadling,
  I am afraid you can not achieve that with only server2012r2 hyper-v role at present.
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Delegate not receiving "Proposed New Time" items

  I am looking at a principal who has given delegate access to his admin and configured the delegate to receive all meeting related items. I've verified this in the principal's mailbox. The meeting invitations all are sent from the principal's calendar
  and the delegate sees the requests and all acceptances/declinations; however, the delegate is NOT receiving "Proposed New Time" items. The principal does receive them, thus we know the option to "Allow New Time Proposals" is not
  disabled.
  The one oddity I saw was that the principal had given the delegate "owner" permissions to his calendar, which makes the permissions appear as "Custom" in his Outlook. However, in Office 365, GET-MAILBOXFOLDERPERMISSIONS <ALIAS>:\CALENDAR
  shows that the delegate has Editor permissions. I reset the permissions in the principal's calendar to "Editor" to remove the "custom" setting (once upon a time, custom settings used to cause issues in Outlook). The change, however, had
  no effect.
  Any ideas?

  Hi Taj,
  It’s by design. Decline and Propose New Time is same as decline meeting request. When you decline a meeting, this meeting will be automatically deleted in your calendar.
  If you want to propose new time, you can try another option--- Tentative and Propose New Time. By default, you will tentatively accept the meeting.
  More details about Propose, accept, or decline a new meeting time, for your reference:
  https://support.office.microsoft.com/en-us/article/Propose-accept-or-decline-a-new-meeting-time-6e249871-0755-4171-8250-c5cbac240d33?CorrelationId=f66c9068-6d89-44f9-8286-2b44f9d17b46&ui=en-US&rs=en-US&ad=US
  Best Regards,
  Allen Wang

• How to configure iCloud for a family

  WIth the move from MobileMe to iCloud, I am challenged with how to best configure multiple Apple ID's, Mobile Me legacy accounts, and iCloud accounts for a family of four.
  Intentions:
  - Have the ability to unify family purchased music, movies, apps, as well as photos into one place
  - All family members have the ability to access above media library
  - Share this media in a way that is low maintenance and more secure than sharing with friends
  Pre-iCloud:
  - A single Apple ID ([email protected]) that I use for Apple store purchasing, this community, etc.
  - A single MobileMe account ([email protected]) that until now I have used on all iOS and Mac devices INCLUDING MY WIFE AND KIDS (oops?)
  Since iCloud:
  - Setup the [email protected] as an iCloud account (had no legacy data)
  - Migrated [email protected] from MobileMe to iCloud account
  - Setup [email protected] as a new iCloud account
  - Setup [email protected] as a new iCloud account
  - Setup [email protected] as a new iCloud account
  The trouble is, I have no way to 'link' [email protected], wife@, boy@, and girl@ to do any sharing that [email protected] or [email protected] couldn't also access.
  What's the "Apple way" of setting up a family in iCloud?

  amichalo wrote:
  The trouble is, I have no way to 'link' [email protected], wife@, boy@, and girl@ to do any sharing that [email protected] or [email protected] couldn't also access.
  For this very reason, I switched my family calendars over to Google several months ago.  I have a family of 4 as well and my children are fairly young, so I wanted them to be able to see my calendar without risk of them accidentally deleting something from it.  I was able to set up a separate account for each family member and then "delegate" calendar permissions to other family members.  My wife and I can update all four calendars.  My children can each update their own calendar, and can see the other calendars, but can't update them.  None of the calendars are visible to the public.
  I hope this helps you with that one issue.  I wish I could answer all of your questions, but I can't.  I'm struggling with how to best manage a family of four in this new environment myself and will keep an eye on your thread here in hopes of finding answers to my own questions.  I also started my own thread before finding yours.  I'll link to it in case any helpful information turns up there:
  https://discussions.apple.com/message/16432513#16432513

• Installing new SCCM 2012 infrastructure over an existing SCCM 2012 Infrastructure

  Greetings,
  I currently have a standalone SCCM 2012 environment running in production.  This implementation isn't in a hierarchy and doesn't support Macs (non-PKI/HTTPS infrastructure), but is managing 1500 PC clients beautifully.
  However, we have some sites out-of-state that need to be in their own Primary Site, as well as Macs across both sites need managing as well.  
  I have made a new environment entirely on 2012 infrastructure (2012 SCCM, 2012 Server, and 2012 SQL).  This includes a CAS at the top, a PRI for my current site, and SQL for both (all on different hardware, new names, etc.).  I've installed a PKI
  infrastructure, and it's currently working fine managing the three servers it contains.
  I need to start migrating all of the clients and services to the 'new' SCCM implementation, but pushing the SCCM client installs to over the old SCCM doesn't seem to change any settings.  Nor does changing site settings in the control panel of a client.
  Anyone know how to configure new site settings without re-installing the SCCM clients on the 'old' infrastructure?
  Thanks~

  Have you ever used group policy for site assignment? This caught me out when upgrading to a new site code. If it has ever been used, it brands the registry and no amount of tinkering in the configuration manager console or client installation methods could
  fix it.
  To fix our site, I removed the offending GPO settings and set the 'GPRequestedSiteAssignmentCode', 'GPSiteAssignmentRetryDuration(Hours)' and 'GPSiteAssignmentRetryInterval(Min)' items under 'HKLM\Software\Microsoft\SMS\Mobile Client' to delete via GPP.
  Details and symptoms I found at http://blog.coretech.dk/heh/new-agents-will-not-re-assign-to-configmgr-2012-site/.
  Jilhad,
  Looks like most of the machines I was testing were indeed installed via GP before I was able to install via the console.  
  Deleting those registry keys allowed me to push the install over the old environment using 'Install Client' from the 'Devices' console, specifying to re-install client.
  Now, I just have to figure out a script to remove those keys via SCCM
  ***Most of you were wondering why I was installing a CAS environment, it's really because this site doesn't conform all that well to our policies, and they will ultimately be administering their own environment.  It seemed to me that it would be easier
  for me to delegate control/permissions/data using a hierarchy.  It was a tough decision, ***
  Thank you all for your help!

• AD Built-In groups that should be avoided as best practice

  I am on a 2008r2 domain.  I spoke to a security engineer from Microsoft a few years ago.  He mentioned some known issues that can occur from using some of the built-in security groups like Account Operators, Backup Operators, Server Operators,
  etc. I know all of the users of those protected groups get stamped with the adminsdholder account, but does anyone have a good webpage that talks about which built-on groups should really be avoided as best practice?  I am not as concerned with the actual
  admin groups as those are pretty obvious.
  Thanks,
  Dan Heim

  Because being member of those groups mentioned means you can effectively become a Enterprise Admin of the entire forest cause they can reset passwords, logon to domain controllers etc. Take his advice and don't use them, they exists as a legacy from Windows
  NT 4.0.
  Use delegation in Active Directory instead to delegate proper permissions.
  Enfo Zipper
  Christoffer Andersson – Principal Advisor
  http://blogs.chrisse.se - Directory Services Blog

• Orchestrator security of Integration configuration accounts

  I have just installed Orchestrator 2012 R2 and I am planning to use the application to carry out several activities including general maintanance tasks as well as to control the Delegation of security permissions.
  I have 2 teams of people that are required to carry out the different tasks
  The first team need to configure the general mainenance tasks and will require an AD account that that as readonly or limited AD permissions. 
  The second team need to configure a run book to delegate security permissions for Domain Admin accounts and so needs full Domain Admin permissions.
  Is there a way that I can allow both teams to have the Active Directory Integration Pack without first team being able to use the high privilege credentials.

  Only if you have a separate Orchestrator instance for each team.  Integration Pack permissions are common to all Runbook Designer users.

• Added existing domain to the parent domain and now permission not inheriting on the child domain

  Hi Friends
  There was a existing Domain but we bought the company and make that Domain as a child domain of our Domain, problem is that users of Parent domain does not have access to the child domain. permissions are not inheriting from parent domain to child domain. 
  for e.g i created user on the parent domain i cant even login to the machine in other domain or access the resources which are on the child domain.

  Simply delegate the permissions you want to grant so that users from the root domain can have access to resources in the child domain.
  As an example, you make users from the parent domain login to computers from the child domain using
  Allow logon locally group policy: http://technet.microsoft.com/en-us/library/cc756809%28v=ws.10%29.aspx
  You can also make them able to RDP the computers if you add them to Remote Desktop Users
  group. This could be done by Restricted Groups Group Policy.
  So, for security reasons and depending on your current configuration, it is normal that users from the root domain might not have by default access to resources in the child domain. This could be fixed by doing the proper delegation.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Domains

  I know it is said that you should, but can someone explain to me the benefits of having seperate domains for servers and accounts?

  This statement is not clearly correct. As per best practices, you should have at least two domains in the Active Directory:
  1) Forest root domain. This is the most important domain, because if you loose it, you will loose entire Active Directory. Forest root domain should contain only forest-wide (or infrastructure) servers (for example, ADCS) and administrative accounts
  only. Only enterprise admins are allowed to log on to this domain.
  2) business domain. This domain contains user (as well as administrative) and computer accounts, as well as application servers (RDS, IIS, SharePoint, SQL, etc.). You can delegate administrative permissions in these domains.
  If necessary, you can have multiple business domains which wil serve organization's IT infrastructure.
  The benefit is decentralized administration and role separation.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• OVM Manager 3.0 user management missing?

  Has anyone had any luck finding where to add/manage users in OVM Manager? The concept seems pretty standard but I've looked everywhere and dont see a place to manage users.. Theres no way we could use this in a production enviroment unless we could assign users and permissions to things.
  Edited by: Dave on Aug 25, 2011 8:14 AM

  bmace,
  Thanks, but that wouldn't help our situation as we need to delegate certain permissions to those users, for example, we need to be able to give a user access to reboot/start/stop a guest, but not delete or do anything destuctive.
  Hopefully Oracle is working on this, sooner rather than later.

• UAC Appears When Opening MMC on Windows 7

  Hello
  I want to delegate password resets to certain users that do not have local admin rights. In my test environment, I was able to delegate the permissions in AD, then create a custom MMC with limited access, installs RSAT on client, and then run the MMC
  as a standard user. In my production environment, I followed the same process, but when attempting to run the custom MMC (or even a blank MMC), UAC appears, so a standard user would not be able to proceed. In both environments, UAC is set to the default setting
  on client.
  Just wondering what normal behaviour is for using MMC? Should I be getting this UAC prompt, or should things be like they are in my test environment.
  Cheers
  Glenn

  Hi, thanks for the reply. 
  I actually want the users to be able to use the Custom MMC (and not Active Directory Users and Computers) that I have created, as the console only lists the user accounts from the OU where the access has been delegated. In my production network, it would
  be possible if the users have local admin rights, but I want to avoid that if possible. In my test network, local admin rights isn't required when opening MMC, so I'm trying to figure out why it occurs on the production network. 

• Need help with multi database query.

  Hello,
  I am working on a query between multiple databases to be view on a web app.  We have multiple web apps and we are integrating some functionality between them all into one page. 
  The data will be for a delegate someone sets for themselves (they can have more then one also).  I need a way to pull the data view it as follows.
  User, UserNumber, DelegateName, ForApp, ForApp, ForApp, ForApp, ForApp, ForApp
  I have had no problem pulling the delegates themselves and which apps they are a delegate for,  but not which person they are the delegate for.
  SELECT DISTINCT
  dbo.Employee.Position_Num AS Delegate_Position, dbo.Employee.Name AS [Delegate Name],
  (CASE WHEN Hierarchy.dbo.Employee.Position_Num = CVI_Delegate.Delegate THEN 1 ELSE 0 END) AS For_CVI,
  (CASE WHEN Hierarchy.dbo.Employee.Position_Num = Travel_Delegate.Delegate THEN 1 ELSE 0 END) AS For_Travel,
  (CASE WHEN Hierarchy.dbo.Employee.Position_Num = Dept_Deposits_Delegate.Delegate THEN 1 ELSE 0 END) AS For_DeptDeposit,
  dbo.OKCorral_Delegate.For_UserRoles AS For_OkCorralUR, dbo.OKCorral_Delegate.For_FiscalApprover AS For_OkCorralFA,
  (CASE WHEN Hierarchy.dbo.Employee.Position_Num = Reqs_Delegate.Delegate THEN 1 ELSE 0 END) AS For_Reqs
  FROM dbo.Employee LEFT OUTER JOIN
  Reqs.dbo.Delegate AS Reqs_Delegate ON dbo.Employee.Position_Num = Reqs_Delegate.Position LEFT OUTER JOIN
  DeptDeposits.dbo.Delegate AS Dept_Deposits_Delegate ON dbo.Employee.Position_Num = Dept_Deposits_Delegate.Position LEFT OUTER JOIN
  CVI.dbo.Delegate AS CVI_Delegate ON dbo.Employee.Position_Num = CVI_Delegate.Position LEFT OUTER JOIN
  dbo.OKCorral_Delegate ON dbo.Employee.Position_Num = dbo.OKCorral_Delegate.Position LEFT OUTER JOIN
  Travel.dbo.Delegate AS Travel_Delegate ON dbo.Employee.Position_Num = Travel_Delegate.Position
  This query works fine.  The problem I run into is I have to use the same Employee table to get the EmployeeName and Number
  Which will be used for both the person and the delegate.  Any ideas will be a great help.  It had been suggested I use a procedure to accomplish this, but I have no idea where to start that at.  I also have tried a nested sbu-query but since
  a person can have more then one delegate for an app,  this through errors.  Thanks.
  George Fields

  Ok,  here are the tables Travel Application Database/Delegate Table
  INSERT INTO [Travel].[dbo].[Delegate]
  ([Position]
  ,[Delegate]
  ,[StartDate]
  ,[EndDate]
  ,[CreateDate]
  ,[EditDate])
  VALUES
  (<Position, char(6),>
  ,<Delegate, char(6),>
  ,<StartDate, datetime,>
  ,<EndDate, datetime,>
  ,<CreateDate, datetime,>
  ,<EditDate, datetime,>)
  GO
  Requistions Application /Table Delegates
  INSERT INTO [Reqs].[dbo].[Delegate]
  ([Position]
  ,[Delegate]
  ,[StartDate]
  ,[EndDate]
  ,[CreateDate]
  ,[EditDate])
  VALUES
  (<Position, char(6),>
  ,<Delegate, char(6),>
  ,<StartDate, datetime,>
  ,<EndDate, datetime,>
  ,<CreateDate, datetime,>
  ,<EditDate, datetime,>)
  GO
  Heirarchy Database for Purchasing Application / Delegates Table
  INSERT INTO [Hierarchy].[dbo].[OKCorral_Delegate]
  ([Dept_Campus]
  ,[For_DeptNum]
  ,[Position]
  ,[Delegate]
  ,[StartDate]
  ,[EndDate]
  ,[CreateDate]
  ,[EditDate]
  ,[For_FiscalApprover]
  ,[For_UserRoles])
  VALUES
  (<Dept_Campus, char(2),>
  ,<For_DeptNum, char(5),>
  ,<Position, char(6),>
  ,<Delegate, char(6),>
  ,<StartDate, datetime,>
  ,<EndDate, datetime,>
  ,<CreateDate, datetime,>
  ,<EditDate, datetime,>
  ,<For_FiscalApprover, bit,>
  ,<For_UserRoles, bit,>)
  GO
  Heirarchy Database / Employee Table
  INSERT INTO [Hierarchy].[dbo].[Employee]
  ([Dept_Num]
  ,[Position_Num]
  ,[Email]
  ,[Name]
  ,[Campus]
  ,[CWID]
  ,[Student]
  ,[Employee]
  ,[OPID]
  ,[Gender]
  ,[Birth_Date])
  VALUES
  (<Dept_Num, char(5),>
  ,<Position_Num, char(6),>
  ,<Email, varchar(75),>
  ,<Name, varchar(150),>
  ,<Campus, char(2),>
  ,<CWID, varchar(16),>
  ,<Student, char(1),>
  ,<Employee, char(1),>
  ,<OPID, char(4),>
  ,<Gender, char(1),>
  ,<Birth_Date, char(8),>)
  GO
  The other two databases also have a delegate table similar to the ones above.  As you can see all information about an employee is linked by their position number in the Employee Table.
  The Position Number is used in the Position field and Delegate field of all the Delegate tables.
  I am needing to pull an employee (actually all of them) List them and then show delegates for them by which applications the delegate holds permissions too. Which is the purpose of the delegate.  So a delegate may only be a delegate for one application
  or multiple which is why I am pulling from multiple databases.
  George Fields

• Ability to create GPOs, but only link them to specific OU

  Hi guys,
  Running a 2008R2 domain.  I need to delegate the permissions to create new GPOs to a specific account, but I want that account to only be able to link them to a specific OU.  I know how to delegate the link permissions to specific OUs, but
  not how to delegate permissions to create GPOs without making the account a member of Group Policy Creator Owners which would give it ability to edit other GPOs.  If anyone knows a way I can delegate permissions to create new GPO(bot not edit existing
  GPOs), please let me know.  I was checking the User rights Assignments in the Default Domain Controllers Policy, but not seeing the ability to add a user in there.
  Dan
  Dan Heim

  Hi Dan,   
  If you want to delegate permissions to create GPOs, you can refer to the following steps:
  1. Open Group Policy Management.
  2. In the console tree, click Group Policy Objects in the forest and domain for which you want to delegate creation rights for Group Policy objects (GPOs).
  3. In the results pane, click the Delegation
  4.Click Add.
  5. In the Select User, Computers, or Groups dialog box, click Object Types, select the types of objects to which you want to delegate creation rights for GPOs, and then click
  OK.
  6. Click Locations, select either Entire Directory or the domain or organizational unit containing the object to which you want to delegate creation rights, and then click
  OK.
  7. In the Enter the object name to select box, enter name of the object to which you want to delegate creation rights by doing one of the following:
  ◦ If you know the name, type it, and then click OK.
  ◦ To search for the name, click Advanced, enter the search criteria, click Find Now, select the name in the list box, click OK, and then click OK.
  Based on my test, after delegating creation of GPOs to a user by following above step, the user will not have permissions to edit the GPOs that are not created by himself.
  For more detail information about delegating creation of GPOs , you can refer to the following link:
  Delegate creation of Group Policy objects using GPMC
  http://technet.microsoft.com/en-us/library/cc739363(v=ws.10).aspx#BKMK_Addgroup
  Best Regards,
  Erin

• Office 365 Shared External Contacts - how do I delegate Edit and Update permissions to users

  Hello
  Office 365 Shared External Contacts - how do I delegate Create/Update/Delete/Edit permissions to users who are not Admins? These Contacts are in the Global Address List. Not Outlook personal Contacts. O365 Small Business Premium

  Hi,
  To grant users delegate permissions, open Outlook, go to FILE -> Info -> Account Settings -> Delegate Access -> Add -> Search and add the user, click OK -> Edit the permission of the user. We can set different permissions in the dropbox
  of Contacts.
  There are four permisssions for Contacts:
  1. None
  2. Reviewer (can read items)
  3. Author (can read and create items)
  4. Editor (can read, create, and modify items)
  Select the permission that you want to grant the user.
  We can also modify the permission later in this section.
  I hope the information is helpful, if I misunderstood anything, feel free to correct me and provide more detailed description of the question.
  Regards,
  Melon Chen
  Forum Support
  Come back and mark the replies as answers if they help and unmark them if they provide no help.
  If you have any feedback on our support, please click
  here

• Delegate permissions to edit only certain settings in a GPO?

  We are running a 2008R2 domain. I know this is doubtful, but thought I would ask.  We have lots of drive mappings through a single GPO(mapping is through GPP). I would like to delegate the editing of those drive mappings to help-desk
  user. That is easy, but we are concerned about that delegation because this GPO is targeting all users in the company.  Is there anyway through powershell, or unique permissions applied to certain parts of the sysvol GPO, to block it so that certain users
  can only edit specific parts of that GPO?  Basically, I want to restrict the editing of the GPO to only those drive mapping GPP settings.
  Dan Heim

  You cannot. And I would advice not to give help-desk permissions to edit a GPO in production.
  You could do the drivemapping in a loginscript and have the logonscript read a file containing the mappings and give RW permisisons for that file to the helpdesk users.
  MCP/MCSA/MCTS/MCITP