CASE: HR has to modify user properties such as Address, Telephone,… on AD users without having Administrator Rights. The can NOT create or delete users.
1) Create a new security group (case: “hr_ad_editors”)
2) Right-click on the destination OU (case: “_USERS”) and select Delegate Control …
a. Next
b. Add users/groups (case: “hr_ad_editors”), click next
c. Select the option Create a custom task to delegate, click next
d. Select the option Only the following objects
and select account objects below, click next
e. Select all properties except full control, click next & finish
3) Add specific users/groups to the created security group (case: “hr_ad_editors”)
4) Update group policy (run, CMD, gpupdate /force) on the Domain Controller
Give the users access Active Directory Users and Computers
OPTION 1) Install the Remote Server Administration Tools on the Client PC:
a. Download AdminPack for Vista HERE
b. Download AdminPack for XP Pro or W2K3 HERE
OPTION 2) Install the Remote Server Administration Tools on a Citrix Server and give access to specific security group.
How to check the delegated permissions
Open he management console Active Directory Users and Computers
Select menu view
Enable advanced features
Right-click on the destination OU, select properties
Go to tab security and select advanced
Got to tab Effective Permissions and select the user or group to check
Footnote: Now the people of HR can change the settings of a users whitout creating or deleting them. I’m still working on finetuning this because I want to narrow those rights further that they can only change SOME settings of that users.