
close
close
It’s all too often that organizations grant IT staff domain admin rights to Active Directory to perform administrative tasks that require just a small subset of those permissions. In this article I will show you how to grant an AD group permission to reset passwords and unlock user accounts using Active Directory’s Delegation of Control Wizard. Once you’re familiar with the process, you will be able to use the same wizard to delegate other tasks.
It’s preferable to create an OU structure so that you can apply different delegated permissions and Group Policy Objects (GPOs) to different sets of AD objects. For example, you may not want to give helpdesk users the ability to manage sensitive user accounts, in which case the given accounts need to be located in their own OU so that different management policies can be applied.
advertisment
For the purposes of this guide, I’ll delegate permissions to objects in the standard Users container.
Remember that standard users cannot log on locally to domain controllers (DCs). Even if you change this policy, standard users cannot run the Microsoft Management Console by default on DCs, hence preventing them from starting ADUC. Your IT staff should use the Remote Server Administration Tools (RSAT) to manage AD from a management workstation.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Active Directory
Microsoft Rolls Out Azure AD Verifiable Credentials Service to More Customers
May 11, 2022 | Rabia Noureen
Best Practices for Installing Active Directory Domain Controllers in a Virtual Machine
Apr 15, 2022 | Michael Taschler
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group