Delegating control in Active Directory lets you give specific admin tasks to non-admin users without granting them full domain admin rights. For example, you can let helpdesk staff reset passwords or let users manage groups. In this guide, I’ll show you how to delegate control using Active Directory Users and Computers.
Table of Contents:
- Delegate Password Reset and Unlock Permissions
- Delegate Permissions to Modify Telephone Number
- Delegate Permissions to Modify Group Membership
- Delegate Control to Delete Computer Accounts
- How to Audit Active Directory (ACL) Permissions
Delegate Password Reset and Unlock Permissions
In this example, I’ll use the delegation control wizard to give helpdesk users permissions to reset passwords and unlock user accounts. I’ll also demonstrate how to limit this to a specific group of users (department).
Step 1: Create a New Active Directory Group
I’m going to create a new group and name it “Helpdesk_password_reset”. Use whatever naming convention makes sense to you, I just recommend it to be descriptive. I also recommend using the description field to provide exact details on what the group is used for. With a descriptive name and the description filled out, there should be no confusion about what this group is used for, this will help you and other System Admins.
Next, I’ll add the helpdesk staff to this group. When the delegation is complete you can easily add or remove rights by changing the membership of this group.
Step 2: Use Delegation of Control Wizard
This is where good OU design is important. I want to grant this group permission to change the password for all users in the domain, and since I have all users in the “ADPro Users” OU this can easily be done. The delegated rights will apply to the root and all sub-OUs.
Right-click on the OU and select “Delegate Control”.
Click “Next”
Select the group you want to delegate control to.
Click “Next”
Select “Create a custom task to delegate”
Select “Only the following objects in the folder” then select “User objects”
Click “Next”
Select “General” and “Property-specific”
Then enable the following permissions:
- Change password
- Reset password
- Read lockoutTime
- Write lockoutTime
Click “Next”
Click “Finish”
Now any member of the “Helpdesk_password_reset” group can change/reset passwords and unlock user accounts for all users in the “ADPRO Users” OU.
What if you had a department that wanted to reset/unlock their own accounts? For example, the HR department wants to reset/unlock their own accounts without having to call IT support.
Here are the steps: (The steps are basically the same as above you just run the delegation control on a specific OU)
- Create a new group for the HR users (example, HR_password_reset).
- Use the delegation control wizard on the HR OU.
- Select the HR group (example, HR_password_reset).
- Set permissions (change password, reset password, read lockoutTime, write lockoutTime). See the above screenshots for more details.
If you delegated control to the entire domain or an OU with all users then you gave HR staff more permissions than they need. They could reset/unlock users for the entire domain, you want to avoid this.
Delegate Permissions to Modify Telephone Number
In this example, I want to give a group of users permission to only modify the Telephone number in Active Directory. You will see in the delegation of control wizard you can grant permissions to other user fields (address, zip, state, and so on).
Step 1: Create a group.
I created a group called “IT_Modify_Telephone”.
Step 2: Run delegation Control Wizard.
Run the delegation control wizard on the target OU.
Select the group.
Select “create a custom task to delegate”
Select “Only the following objects in the folder” then select “User Object”
Select “Property-specific”
Enable “Read Telephone Number” and “Write Telephone Number”
Click “Next” then “Finish” to complete.
Now any member of the group can modify the “Telephone Number” field in Active Directory. All other fields are read-only.
Delegate Permissions to Modify Group Membership
In this example, I will give a group of users permission to modify group membership (add/remove users to groups).
This one is easier than previous examples as Microsoft has a common task for it.
Step 1: Create AD Group
Step 2: Run Delegation Control Wizard
If you have all groups in a specific OU then run the delegation wizard on the OU. For example, all of my groups are in an OU called “ADPRO Groups”.
Select the group you want to delegate control to.
Click “Next”
Select “Modify the group membership of a group”
Click “Next” and click “Finish”.
Delegate Control to Delete Computer Accounts
Helpdesk or other IT staff will often need rights to delete computer accounts in Active Directory. Here is how to delegate those rights.
Step 1: Create AD Group
For example “IT_delete_computers”.
Step 2: Run delegation control wizard on OU.
Make sure you run the wizard on the OU that contains the computer objects.
Select the group to delegate control
Click “Next”
Select “Create a custom task to delegate”
Select “This folder, existing objects in this folder, and creation of new objects in this folder”.
Click “Next”
Select “creation/deletion of specific child objects”
Then select “Delete Computer objects”
Now members of the selected group can delete computer objects.
Summary
In this guide, I walked you through several examples of delegating control in Active Directory. The delegation of Control Wizard can be confusing as it’s not always clear where to find specific permissions. It’s best to use groups for delegating control and set very specific permissions. Lastly, I showed you how to audit Active Directory ACL permissions using the AD ACL scanner tool. Don’t forget to audit the ACL permissions at least once a year.
Related Articles