Delegate Active Directory permissions to a user
- Open ADUC, locate the ou where the user exists – right click on ou and choose delegate control.
- Add/enter name/check name/ok/next.
- Choose what tasks to delegate (e.g. ‘create delete and manage user accounts’/reset user passwords and force password change at next logon’ ‘modify membership of a group’ etc..)
-
Next/Finish
Now in security tab of OU (need to have advanced features selected from view menu of ADUC) designated user will show as having ’special permissions’.
-
To enabled user to access ADUC from their PC they need to be made a local administrator of that PC. Open MMC and add local users and groups snap in for the target computer. Add ‘domainname\username’ account to the administrators group.
You now have to install management tools on the client machine to be able to manage active directory from the pc. To do this you need to have the server 2003 cd and copy i386/ADMINPACK.MSI from the disc to a shared folder on the server.
- Create a console for the user by running mmc and adding ADUC snap in. Save in ‘User Mode’ (File/options/user mode full access.) save in a shared folder on the server.
- User now logs onto their PC (they are now local administrator). Access the shared folder on the server where the console is saved by using a UNC path.
- Copy and Paste the mmc console AND the ADMINPACK.MSI to the user’s desktop.
-
Run ADMINPACK.MSI on the client machine.
User can now open and create management consoles as per there delegation rights.
To remove delegation from the user you need to go into the advanced ACL for the ou where the user is located in ADUC and remove the special permissions assigned to them.