Delegate permissions on Active Directory Users&Computers

CASE: HR has to modify user properties such as Address, Telephone,… on AD users without having Administrator Rights. The can NOT create or delete users. 1) Create a new security group (case: “hr_ad_editors”) 2) Right-click on the destination OU (case: “_USERS”) and select Delegate Control … a. Next b. Add users/groups (case: “hr_ad_editors”), click next c. Select the option Create a custom task to delegate, click next d. Select the option Only the following objects and select account objects below, click next e. Select all properties except full control, click next & finish 3) Add specific users/groups to the created

Continue reading »