Last Update: Sep 24, 2024 | Published: Jul 10, 2013
It’s all too often that organizations grant IT staff domain admin rights to Active Directory to perform administrative tasks that require just a small subset of those permissions. In this article I will show you how to grant an AD group permission to reset passwords and unlock user accounts using Active Directory’s Delegation of Control Wizard. Once you’re familiar with the process, you will be able to use the same wizard to delegate other tasks.
It’s preferable to create an OU structure so that you can apply different delegated permissions and Group Policy Objects (GPOs) to different sets of AD objects. For example, you may not want to give helpdesk users the ability to manage sensitive user accounts, in which case the given accounts need to be located in their own OU so that different management policies can be applied.
For the purposes of this guide, I’ll delegate permissions to objects in the standard Users container.
Remember that standard users cannot log on locally to domain controllers (DCs). Even if you change this policy, standard users cannot run the Microsoft Management Console by default on DCs, hence preventing them from starting ADUC. Your IT staff should use the Remote Server Administration Tools (RSAT) to manage AD from a management workstation.