Thursday 1 May 2014

Active Directory delegation

To delegate permission for a domain user to:
  • add new users to container
  • change password
  • modify group membership
  • modify users properties (such as email / name etc)
  • move users between OU's
First one required this steps:
  • Right click on container and choose Delegate Control
  • When Delegation Wizard opens up click Next
  • On another page choose group you want to give permissions to and press Next
  • On next page Create a custom task to delegate and choose Next
  • Choose Only the following objects in the folder and go to the bottom of the list and choose User objects. Choosing anything more then just one entry will not give you possibility of granular choice of properties to change.
  • Make sure to have Create selected objects in this folder checked and press Next
  • Choose:
    • Read All Properties
    • Write All Properties
    • Read and write general information
    • Read and write logon information
    • Read and write phone and mail options
    • Read and write web information
    • Read and write Terminal Server license server
    • Read and write remote access information
    • Change password
    • Reset password
This allows to create user and enable / disable user but not delete it. At this moment user isn't able to change group membership as this has to be done differently.