How to make someone 'Assistant Administrator' for my Active Directory?

Question

I have active directory window server 2019 datacenter, now I want to hire someone who can control almost everything about active directory, but I don't want that person to delete everything and leave after few month. I am worried about that part. So how should I give him the right access so that he can manage to do most part just like Main Administrator but can't delete whole Active Directory- that can be a big problem like removing all the users like 500 and its a mess. Please tell me what permission I should give to the person I hire who can manage Active Directory without messing around it.

Answer 1

You could use the Delegation of Control Wizard and administer the permissions for a user or group accordingly.

1. Open the Active Directory Users and Computers console
2. Right-click your intended OU and click on Delegate Control, then Next
3. On the Users or Groups page, click the Add button
4. In Select Users, Computers or Groups, enter the user's or group's name, verify the name with the Check Names button, then click Next
5. Verify that the desired user or group is within the list on the Users or Groups page then click Next
6. On the Tasks to Delegate page, select the desired permissions for the user/group, click Next when finished
7. Verify then click Finish

---

Please accept as an answer if this was helpful.

Answer 2

You can create a group, place the desired users in it, and configure delegation where you can then edit their actual NTFS Special Permissions to fill in the rest.

• Properties / 
• Security / 
• Advanced / 
• Permissions / 
• Target User / 
• Edit

From there, I'd install RSAT (Remote Server Administration Tools) on their computers and allow them to work off that instead of piping a random third-party user management program to your domain controllers.

Alternatively, to RSAT, you could create an MMC profile with Users and Computers and connect it to your domain controller.

Answer 3

Hello there,

In Active Directory, administrators use default local accounts to manage domain and member servers directly and from dedicated administrative workstations.

Whoever has the Delete Right on the user object can delete files in AD, so whatever permission you are about to grant you must not provide delete rights. Depending on the type of AD object and the AD tree level, set the Apply Onto Field option to This Object Only or This Object And All Child Objects. Click Deny for the Delete permission you want to restrict (e.g., delete OU objects, delete printer).

To protect from accidental deletion, you can add explicit Deny Delete and Deny Delete Subtree advanced permissions to the Everyone group on that container object. To further protect the OU, you can add the explicit Deny Delete All Child Objects permission on the parent container of the OU that you want to protect. The explicit Deny access control entries (ACEs) take precedence over any Allow permissions that the user might have on the container, including inherited permissions.

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–