I want to let regular user be able to administer users and computers in a specific OU.
There is a AD setting which allows any regular domain user to add a maximum of 10 Computers to the domain. This setting can be turned off like this:
- Start AdsiEdit.msc as Domain Admin
- Expand the Domain Node, right-click the DC=Domain node and select Properties
- Edit ms-DS-MachineAccountQuota and set it to 0
To set up the delegation do the following:
- In ADUC click view, Advanced Features
- Right-click on the OU where you want to add permission and select Properties
- On the Security Tab select Advanced and add the following permissions
- To edit Users
User Objects – Full Control - To Reset User Passwords Only
User Objects – Read pwdLastSet
User Objects – Write pwdLastSet
User Objects – Reset Password - Add Computers
This object and all child objects – Create Computer Objects
This object and all child objects – Delete Computer Objects - Add Computers
This object and all child objects – Create User Objects
This object and all child objects – Delete User Objects
- To edit Users
To add a computer to the domain the user first need to create a Computer Account in the Correct OU and then add the computer.
Links
http://www.infinitconsulting.com/news-events/technotes/limit-workstations.html