How to Delegate AD Rights to Users

How to Delegate AD Rights to Users

Delegating Administrative Privileges to Users in Active Directory

AD delegation lets administrators grant users or groups certain permissions without having to add them to privileged groups like Domain Admins and Account Operators. You can delegate control of your Active Directory environment by using the Active Directory Users and Computers (ADUC) snap-in. As a best practice, it is wise to delegate control to groups and not individual users.
 
Follow these steps to create a group of users and delegate certain controls to them without adding them to privileged groups. 
  1. Open Active Directory Users and Computers, right click on any Organizational Unit on which you have to delegate control.
  2. Click on New and then click on Group to create a new group.
  3. On New Object-Group console window, enter the details of the required group and configure the group scope to be Global, and the Group type to be Security. Click on OK. This will create the desired group.
  4. Right click on the group and click on Properties. Under the Members tab, click on Add to add users into this group.
  5. Now, right click on the Organizational Unit and click on Delegate Control to delegate permissions to the group of users.
  6. On the Delegation of Control Wizard, click on Next to continue.
  7. In Users and Groups console, click on Add to add the required group and click on Next to continue.
  8. In the Tasks to Delegate console, select Delegate the Following Common Tasks and select permissions from the given tasks. Click on Next to continue.
  9. On the Completing the Delegation of Control Wizard verify the selected options on previous consoles and click on Finish to close the console.
The users in the group can now carry out the specified common tasks. Thanks to AD Delegation, this can be done without adding those users to any privileged groups. 

    • Related Articles

    • How to Delegate Disable Account Permissions to AD Users

      Delegate Disable Accounts Permission in Active Directory Delegation has been the sharpest tool in an IT administrator's bag. It has saved both time and money by bestowing rights to a group of people dedicated at taking care of particular ...

    • Delegate Password Reset Permissions in Active Directory

      Delegating Permissions to Reset User Account Passwords Delegation can help administrators save ample time and help them concentrate on more tedious tasks at hand. This is no different when it comes to delegating password resetting capability. ...

    • Active Directory User Rights Assignement using GPO

      User Rights: An Introduction  User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. They allow users to perform ...

    • PowerShell: How to Find Password Expiration Date for AD Users

      How to get AD Users Password Expiration Date Administrators working on a Windows environment are tasked with the important job of ensuring that user accounts with soon to be expiring passwords and password expired accounts are reported and taken care ...

    • Finding AD Users with No Logon Script Using PowerShell

      PowerShell Script to Find Users with No Logon Script Login scripts failing to configure is one of the most commonly seen errors when user accounts are provisioned in Active DirectoryThis is especially true when user accounts are provisioned in ...