Ad delegation rights

Question

Hi

I need set rights to our helpdesk employee
Requirements:

• can change user password
• can unlock locked and disabled user and computer accounts
• can move user account to another ou (disabled_users)
• can move computer account to ou (disabled_computers)
• can create user accounts
• can add new computer and user accounts
• can join, rejoin computers from domain
• can modified group membership
• but cannot do anything connected with domain admins or local domain accounts

I now that create custom task delegation would be best option but i dont understand many of these options

Can you please

please can you help me solve it? i appreciate any help
Thx

Answer 1

Hi,

There are two options to set delegation in active dierctory: set ACLs on each OU , or use delagation wizard.
The best option is to use the delegation wizard to give the permissions mentioned on your question to your help desk team on each OU.
You can refer to the following links to understand delegation concept in active directory and how to set delegation using delegation wizard
active-directory-security-delegation

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-by-using-ou-objects

Once delegation set completed , you can remove helpdesk admin account from domain admins group on each domain.

----------

Please don't forget to mark helpful reply as answer

----------

Answer 2

Hi,
Following information for your reference:
To reset user passwords
Right-click the OU > 'Delegate Control
At the Welcome dialog, click 'Next'.
At the Users or Groups dialog, click the 'Add...' button. You will be prompted to add a user or group to which you will apply delegated rights.
At the Select Users, Computers, and Groups dialog, either type the name of the object (use domain\username or domain\groupname for best results) or click 'Advanced'> 'Find' to locate your resource you wish to apply permissions to.
At the Tasks to Delegate dialog, you can select from a wide assortment of tasks to assign to your users.
Select 'Reset user passwords and force password change at logon' and click the 'Next' button.

To enable/disable user accounts :
Click the 'Create a custom task to delegate' radio button and click the 'Next' button.
At the 'Permissions' dialog, select the 'General' and 'Property-specific' checkboxes and in the list below, check the following permissions:
Change Password Reset Password Read userAccountControl ,Write userAccountControl

To grant Active Directory unlock account permissions:
Choose Create a custom task to delegate and click Next.
Choose Only the following objects in the folder from the Delegate control of option.
Check the User objects option as the object to which to delegate.
Click Next to proceed.
Ensure Property-specific is checked.
Scroll to the Read lockoutTime permission and check Read lockoutTime and Write lockoutTime. The properties are sorted in alphanumeric order.
Click Next to proceed.
Review the changes and ensure the changes are correct.
Click Finish to save your changes and close the wizard.

To join, remove computers from domain
Create a Custom Task to delegate then click next.
Then select "only the following objects in the folder" then tick "computer objects" from list and also tick the two boxes at the bottom. "create selected object in folder" and "delete selected object in folder" click next.
On the next screen select "Full control" from the list then click next

To set up the AD Delegation Wizard for group management
With a right click on the OU he selects “Delegate Control …” to start the wizard.
Now he decides which rights the helpdesk gets. What is needed:
"Create, delete, and manage groups" ,"Modify the membership of a group"
Best Regards,