Delegating AD Admin Rights to regular users

I want to let regular user be able to administer users and computers in a specific OU.

There is a AD setting which allows any regular domain user to add a maximum of 10 Computers to the domain. This setting can be turned off like this:

  1. Start AdsiEdit.msc as Domain Admin
  2. Expand the Domain Node, right-click the DC=Domain node and select Properties
  3. Edit ms-DS-MachineAccountQuota and set it to 0

To set up the delegation do the following:

  1. In ADUC click view, Advanced Features
  2. Right-click on the OU where you want to add permission and select Properties
  3. On the Security Tab select Advanced and add the following permissions
    • To edit Users
      User Objects – Full Control
    • To Reset User Passwords Only
      User Objects – Read pwdLastSet
      User Objects – Write pwdLastSet
      User Objects – Reset Password
    • Add Computers
      This object and all child objects – Create Computer Objects
      This object and all child objects – Delete Computer Objects
    • Add Computers
      This object and all child objects – Create User Objects
      This object and all child objects – Delete User Objects

To add a computer to the domain the user first need to create a Computer Account in the Correct OU and then add the computer.

Links

http://www.infinitconsulting.com/news-events/technotes/limit-workstations.html

Comments

Leave a Reply

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Find out more about Webmentions.)