Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / Delegating Administrative Permissions in Active Directory

March 15, 2024

Delegating Administrative Permissions in Active Directory

In this article, we’ll look at how to delegate administrative permissions in the Active Directory domain. Delegation allows you to grant the permissions to perform some AD management tasks to common domain (non-admin) users without adding them to the privileged domain groups, like Domain Admins, Account Operators, etc. For example, you can use delegation to grant a certain AD security group (say, Helpdesk) the permissions to add users to groups, create new users in AD, and reset the account passwords.

Contents:
  • Understanding Active Directory Delegated Permissions
  • Delegate Password Reset and Unlock Account Permissions in AD
  • Delegate Permissions to Join Computers to AD Domain
  • How to View and Remove Delegated Permissions in Active Directory?
  • How to Delegate Permissions in Active Directory with PowerShell?

Understanding Active Directory Delegated Permissions

To delegate permissions in AD, the Delegation of Control Wizard in the Active Directory Users and Computers console (DSA.msc) is used.

You can delegate administrative privileges in AD on a fairly granular level. You can grant one group to reset passwords in the OU, another one – to create and delete user accounts, and the third one – to create and change group membership. You can configure permission inheritance on the nested OUs. Permissions can be delegated in Active Directory on the following levels:

  • AD site;
  • The whole domain;
  • A specific Organizational Unit (OU) in Active Directory;
  • A specific AD object.

Best practices for delegation control in Active Directory:

  • It is not recommended to delegate (assign) permissions directly to specific user accounts. Create a new security group in AD instead, add a user to it, and delegate permissions on an OU for that group. If you want to grant the same permissions to another user, you can simply add him to this security group;
  • Avoid using Deny permissions, as they take precedence over allowed ones;
  • Periodically audit the delegated permissions in the domain (a report with the current lists of permissions per OU can be created using PowerShell);
  • Do not grant anyone permission to manage the OU with the administrator accounts. Otherwise, any support staff member can reset the domain administrator password. All privileged users and groups should be placed in a separate OU that is not subject to delegation rules.

Delegate Password Reset and Unlock Account Permissions in AD

Let’s imagine that your task is to grant the HelpDesk group permission to reset passwords and unlock user accounts in the domain. Let’s create a new security group in AD using PowerShell:

New-ADGroup "HelpDesk" -path 'OU=Groups,OU=Paris,OU=Fr,dc=woshub,DC=com' -GroupScope Global

Add users you want to this group:

Add-AdGroupMember -Identity HelpDesk -Members rdroz, jdupont

Run the Active Directory Users and Computers MMC snap-in (dsa.msc), right-click the OU with the users (in our example it is ‘OU=Users,OU=Paris,OU=Fr,dc=woshub,DC=com’), and select the Delegate Control menu item.

ADUC delegate control wizard

Select the group you want to grant administrative privileges to.

select an AD group to who you want to delegate control

Select one of the preconfigured set of privileges (Delegate the following common tasks):

  • Create, delete, and manage user accounts;
  • Reset user passwords and force password change at the next logon;
  • Read all user information;
  • Create, delete, and manage groups;
  • Modify the membership of a group;
  • Manage Group Policy links;
  • Generate Resultant Set of Policy (Planning);
  • Generate Resultant Set of Policy (Logging);
  • Create, delete, and manage inetOrgPerson accounts;
  • Reset inetOrgPerson passwords and force password change at the next logon;
  • Read all inetOrgPerson information.

Or create a custom task to delegate. I choose the second option.

Create a custom task to delegate AD permissions

Select the type of AD objects you want to grant administrative permissions to. Since we want to grant control over user accounts, select the User Object item. If you want to grant the permissions to create or delete users in the OU, select the options Create/Delete selected objects in this folder. In our example, we don’t grant such privileges.

delegation control wizard - user objects

In the list of permissions, select the ones you want to delegate. In our example, we’ll select the privileges to unlock user accounts (Read lockoutTime and Write lockoutTime) and to reset a password (Reset password).

For the HelpDesk team to identify the source of the account lockouts in the domain, you must permit them to search the security logs on the domain controllers.  

delegate control permissions to unlock account and reset user password in ad

Click Next, and confirm the delegation of the selected permissions on the last screen.

finish delegation control wizard

Now, under a user account from the HelpDesk group try to reset the password of the user from the target OU using PowerShell:

Set-ADAccountPassword gchaufourier -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “P@ssdr0w1” -Force -Verbose) –PassThru

The password should reset successfully (if it matches the domain password policy).

Now try to create a user in this OU using the New-ADUser cmdlet:

New-ADUser -Name gmicheaux -Path 'OU=Users,OU=Paris,OU=FR,DC=woshub,DC=com' -Enabled $true

An access denied error should appear since you haven’t delegated the rights to create new AD accounts.

You can use domain controller security logs to audit the actions of users to whom you have delegated administrative permissions. For example, you can track who created a user account in AD or look for membership changes in sensitive AD groups.

Delegate Permissions to Join Computers to AD Domain

By default, any domain user can join up to 10 computers to the domain. When adding the 11th computer, an error will appear:

Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.

Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain.

You can change this restriction on the domain-wide level by increasing the value of the ms-DS-MachineAccountQuota attribute. Or (which is more correct and secure) by delegating the permissions to join computers to a certain OU to a specific user group (helpdesk). To do this, delegate the permissions to create objects of Computer objects type. In the Delegation of Control Wizard, select Create selected objects in this folder.

delegate permission to join computer to the ad domain for the user

Select Create All Child Objects in the Permissions section.

delegate permission to create computer in domain

If you want to delegate the right to move objects between Organizational Units in AD, you must grant the following permissions: Delete User objects, Write Distinguished Name, Write name (**), Create User (or Computer) objects.

How to View and Remove Delegated Permissions in Active Directory?

Any number of delegation rules can be assigned to an OU in AD. You can get a list of groups and the permissions delegated to them in the properties of the OU in the ADUC console. Go to the Security tab.

This contains a list of AD subjects that have been granted permissions for this container. You can see the list of granted permissions on the Advanced tab. As you can see, the HelpDesk group is allowed to reset passwords.

How to remove delegate control rights in AD

You can revoke a specific group of administrative permissions previously assigned through delegation. Find the name of the group you delegated permissions to and click Remove.

In addition, on the Security -> Advanced tab you can manually assign delegated permissions to different security groups.

How to Delegate Permissions in Active Directory with PowerShell?

You can get a list of permissions that are delegated to the OU or change the current permissions using PowerShell. The Get-ACL and Set-ACL cmdlets are used to view and change permissions in Active Directory (the same PowerShell cmdlets are used to manage NTFS permissions on files and folders).

The following simple script will list all non-standard permissions that are delegated to a specific organizational unit in AD:

# get the OU
$OUs = Get-ADOrganizationalUnit -Filter 'DistinguishedName -eq "OU=Users,OU=Paris,DC=woshub,DC=com"'| Select-Object -ExpandProperty DistinguishedName
$schemaIDGUID = @{}
$ErrorActionPreference = 'SilentlyContinue'
Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter '(schemaIDGUID=*)' -Properties name, schemaIDGUID |
ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)}
Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)" -LDAPFilter '(objectClass=controlAccessRight)' -Properties name, rightsGUID |
ForEach-Object {$schemaIDGUID.add([System.GUID]$_.rightsGUID,$_.name)}
$ErrorActionPreference = 'Continue'
ForEach ($OU in $OUs) {
$report += Get-Acl -Path "AD:\$OU" |
Select-Object -ExpandProperty Access |
Select-Object @{name='organizationalUnit';expression={$OU}}, `
@{name='objectTypeName';expression={if ($_.objectType.ToString() -eq '00000000-0000-0000-0000-000000000000') {'All'} Else {$schemaIDGUID.Item($_.objectType)}}}, `
@{name='inheritedObjectTypeName';expression={$schemaIDGUID.Item($_.inheritedObjectType)}}, `
*
}
# report with assigned OU permissions

You can get the delegated permissions report with a graphical Out-GridView cmdlet:

$report| where {($_.IdentityReference -notlike "*BUILTIN*") -and ($_.IdentityReference -notlike "*NT AUTHORITY*") }| Out-GridView

Or export the list of permissions to a CSV file for further analysis in Excel ( you can write data directly to an Excel file from a PowerShell script):
$report | Export-Csv -Path "C:\reports\AD_OU_Permissions.csv" –NoTypeInformation

The resulting report shows that the HelpDesk group has been delegated the permissions to reset user passwords (ObjectTypeName=User-Force-Change-Password) in the OU.

powershell: report with delegated permissions on OU in Active Directory

You can use the dsacls tool to delegate rights to an OU. For example:

dsacls "ou=users,ou=paris,dc=woshub,dc=com" /I:S /G "WOSHUB\HELPDESK:CA;Reset Password;user" "WOSHUB\HELPDESK:WP;pwdLastSet;user" "WOSHUB\HELPDESK:WP;lockoutTime;user

You can also assign permissions to the Organizational Unit container using PowerShell (in this example, the permissions to reset the password are delegated):

$ou = "AD:\OU=users,OU=Paris,DC=woshub,DC=com"
$group = Get-ADGroup helpdesk
$sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
$ResetPassword = [GUID]"00299570-246d-11d0-a768-00aa006e0529"
$UserObjectType = "bf967aba-0de6-11d0-a285-00aa003049e2"
$ACL = get-acl $OU
$RuleResetPassword = New-Object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, "ExtendedRight", "Allow", $ResetPassword, "Descendents", $UserObjectType)
$ACL.AddAccessRule($RuleResetPassword)
Set-Acl -Path $OU -AclObject $ACL

Similarly, you can delegate other permissions to AD organizational containers using PowerShell.

0 comment
6
Facebook Twitter Google + Pinterest
Active DirectoryPowerShellWindows Server 2019
previous post
How to Manually Download and Install Windows Updates
next post
Configuring Central Store for Group Policy ADMX Templates

Related Reading

How to Find the Source of Account Lockouts...

March 12, 2024

Configuring Windows Firewall Rules Using Group Policy

March 15, 2024

How to Disable NTLM Authentication in Windows Domain

March 16, 2024

Copy Files and Folders to User Computers via...

March 15, 2024

Updating Group Policy Administrative Templates (ADMX)

January 24, 2025

How to Install the PowerShell Active Directory Module...

March 15, 2024

Checking Active Directory Domain Controller Health and Replication

May 15, 2025

Troubleshooting: Group Policy (GPO) Not Being Applied to...

March 15, 2024

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Allow Non-admin Users RDP Access to Windows Server
  • How to Find the Source of Account Lockouts in Active Directory
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top