Delegating AD Admin Rights to regular users

I want to let regular user be able to administer users and computers in a specific OU.

There is a AD setting which allows any regular domain user to add a maximum of 10 Computers to the domain. This setting can be turned off like this:

  1. Start AdsiEdit.msc as Domain Admin
  2. Expand the Domain Node, right-click the DC=Domain node and select Properties
  3. Edit ms-DS-MachineAccountQuota and set it to 0

To set up the delegation do the following:

  1. In ADUC click view, Advanced Features
  2. Right-click on the OU where you want to add permission and select Properties
  3. On the Security Tab select Advanced and add the following permissions
    • To edit Users
      User Objects – Full Control
    • To Reset User Passwords Only
      User Objects – Read pwdLastSet
      User Objects – Write pwdLastSet
      User Objects – Reset Password
    • Add Computers
      This object and all child objects – Create Computer Objects
      This object and all child objects – Delete Computer Objects
    • Add Computers
      This object and all child objects – Create User Objects
      This object and all child objects – Delete User Objects

To add a computer to the domain the user first need to create a Computer Account in the Correct OU and then add the computer.

Links

http://www.infinitconsulting.com/news-events/technotes/limit-workstations.html

Leave a Reply