We are using Active Directory on a Windows Server 2012 R2. All employees are using a desktop with Windows 7 which is connected to the domain. Our 1st line helpdesk users don't have access to Active Directory on the Windows Server and they never get this access.
We would like to give the helpdesk users read only access in Active Directory in Windows 7. The target is it needs to be possible for them to check if someones user is locked or not. How can I achieve this goal?
They already have read-only access (every domain user does unless you specifically take it away). Just have them install the Remote Server Administration Tools (RSAT): https://www.microsoft.com/en-ca/download/details.aspx?id=7887
Then they can run AD Users and Computers (dsa.msc) from their own machine.