Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Active Directory / How to Delegate Control and Administrator Privileges in Active Directory?

September 4, 2019 Active Directory

How to Delegate Control and Administrator Privileges in Active Directory?

In this article we’ll consider how to delegate administrative privileges in the Active Directory domain. Delegation allows you to provide some AD management tasks to common domain users without making them the members of the privileged domain groups, like Domain Admins, Account Operators, etc. For example, you can use delegation to grant a certain AD security group (say, Helpdesk) the permissions to add users to groups, to create new users in AD and to reset account passwords.

Contents:
  • Features of Control Delegation in Active Directory
  • Delegate Password Reset and Unlock Account Permissions in AD
  • Delegation of Privileges to Join Computers to AD Domain
  • How to Remove Delegated Permissions in AD Domain?

Features of Control Delegation in Active Directory

To delegate privileges in AD the Delegation of Control Wizard in Active Directory Users and Computers (DSA.msc) is used.

You can delegate administrative privileges in AD on a quite detailed level. You can grant one group the permissions to reset passwords in the OU, another one – to create and delete accounts, and the third one – to reset passwords. You can configure permission inheritance for the nested OUs. Privileges can be delegated on the following domain levels:

  • AD site;
  • The whole domain;
  • A specific Organizational Unit (OU) in Active Directory.

Usually it is not recommended to delegate control directly to a user account. Create a new security group in AD instead, add a user to it and delegate permissions on an OU to the group. If you want to grant the same privileges to another user, just add them to this security group.

Please note that you should not grant anybody the permissions to manage the OU with the administrative accounts. Otherwise, any support team member will be able to reset the password of the domain administrator. All privileged users and groups must be placed to a separate OU that is not subject to delegation rules.

Delegate Password Reset and Unlock Account Permissions in AD

Let’s imagine that our task is to grant the HelpDesk group the permissions to reset passwords and unlock user accounts in the domain. Let’s create a new security group in AD using PowerShell:

New-ADGroup "HelpDesk" -path 'OU=Groups,OU=Paris,OU=Fr,dc=woshub,DC=com' -GroupScope Global

Add users you want to this group:

Add-AdGroupMember -Identity HelpDesk -Members rdroz, jdupont

Run the Active Directory Users and Computers (dsa.msc) console, right-click the OU with the users (in our example it is ‘OU=Users,OU=Paris,OU=Fr,dc=woshub,DC=com’) and select the Delegate Control menu item.

ADUC delegate control wizard

Select the group you want to grant administrative privileges to.

select an AD group to who you want to delegate control

Select one of the preconfigured set of privileges (Delegate the following common tasks):

  1. Create, delete, and manage user accounts;
  2. Reset user passwords and force password change at next logon;
  3. Read all user information;
  4. Create, delete and manage groups;
  5. Modify the membership of a group;
  6. Manage Group Policy links;
  7. Generate Resultant Set of Policy (Planning);
  8. Generate Resultant Set of Policy (Logging);
  9. Create, delete, and manage inetOrgPerson accounts;
  10. Reset inetOrgPerson passwords and force password change at next logon;
  11. Read all inetOrgPerson information.

Or create your own delegation task (Create a custom task to delegate). I will select the second option.

Create a custom task to delegate AD permissions

Select the type of AD objects on which you want to grant administrative privileges. Since we want to grant control over user accounts, select the User Object item. If you want to provide permissions to create or delete users in the OU, select the options Create/Delete selected objects in this folder. In our example we don’t grant these privileges.

delegation control wizard - user objects

In the list of permissions you need to select those you want to delegate. In our example, we’ll select the privileges to unlock account (Read lockoutTime and Write lockoutTime) and to reset a password (Reset password).

In order the HelpDesk team can identify the source of the account lockouts in the domain, you must grant them the privilege to search security logs on the domain controllers.

delegate control permissions to unlock account and reset user password in ad

Click Next, and confirm the delegation of the selected privileges on the last screen.

finish delegation control wizard

Under a user account from the HelpDesk group try to reset a password of a user from the OU Users using PowerShell:

Set-ADAccountPassword gchaufourier -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “P@ssdr0w1” -Force -Verbose) –PassThru

The password should be reset successfully (if it corresponds to the domain password policy).

Now try to create a user in this OU using theNew-ADUser cmdlet:

New-ADUser -Name gmicheaux -Path 'OU=Users,OU=Paris,OU=FR,DC=woshub,DC=com' -Enabled $true

An access error will appear since you haven’t delegated the privilege to create new AD accounts.

To control the users you have delegated some privileges, you can use the domain controller security logs. For example, you can track who has reset a user password in the domain, who created a user account in AD or changes in sensitive AD groups.

Delegation of Privileges to Join Computers to AD Domain

By default, any domain user can join up to 10 computers to the domain. When adding the 11th computer, this error message appears:

Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.

Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain.

You can change this restriction on the whole domain level by increasing the value in the ms-DS-MachineAccountQuota attribute. Or (which is more reasonable and secure) by delegating the right to join computers to a certain OU in the domain to the specific group of users (helpdesk). To do it, delegate the privilege to create objects with the type Computer objects. In the Delegation of Control Wizard, select Create selected objects in this folder.

delegate permission to join computer to the ad domain for the user

Select Create All Child Objects in the Permissions section.

delegate permission to create computer in domain

How to Remove Delegated Permissions in AD Domain?

To remove delegated permissions for the AD security group, open the OU properties in the ADUC console and go to the Security tab.

How to remove delegate control rights in AD

In the list of permissions, find the group you have delegated the privileges to and click Remove. You can view the list of the delegated permissions in the Advanced tab. As you can see, the HelpDesk group can reset user passwords.

Also in the Security -> Advanced tab you can configure the control delegation by assigning non-standard permissions for various security groups.

0 comment
1
Facebook Twitter Google + Pinterest
previous post
How to Show/Hide All User Accounts from Login Screen in Windows 10?
next post
Microsoft KMS Volume Activation FAQ

Related Reading

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

How to Find Inactive Computers and Users in...

January 29, 2021

Checking User Logon History in Active Directory Domain...

January 22, 2021

Restoring Deleted Active Directory Objects/Users

December 21, 2020

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Get-ADUser: Getting Active Directory Users Info via PowerShell
  • Get-ADComputer: Find Computer Details in Active Directory with PowerShell
  • How to Find the Source of Account Lockouts in Active Directory domain?
  • Changing Desktop Background Wallpaper in Windows through GPO
  • Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top