Active Directory rights delegation – part 2
This time, we will try to delegate rights to group of users who are responsible for creating new user accounts or new groups in a domain. In our case, we will consider this group as local HelpDesk. To allow users from HelpDesk this possibility, you need to delegate appropriate permissions to them. If you want to do that, I would strongly recommend to create appropriate groups in a domain for all tasks and put HelpDesk group into them. Please consider this group as a role!
So, let’s start. First of all, you need to create domain local security groups for all required tasks:
- user management in each OU
- user password reset
- group management in each OU
- group membership management
as reference, you can use this naming convention
then create global security groups using the same naming convention (but instead of dlg prefix use gg prefix) and make them members of appropriate domain local groups
Now, when you have all necessary groups created, you can start delegating tasks into appropriate Organizational Units. Select desired OU and run “Delegation Control” wizard
add domain local group for appropriate task (for user management) in this example it is dlg-ou-finance-create-user and go further
in this step, please select “Create, delete, and manage user accounts” to allow user account management
and finish wizard by clicking on “Finish” button
So, user management is almost done on this OU, now we need to only allow resetting user passwords. Re-run “Delegating Control” wizard and add another group and grant this permission
from available options, please select “Reset user passwords and force password change at next logon”
and finish wizard. After you did that, user management for that OU is done. Repeat this action for each OU on whch you want to grant user management permissions (with its own domain local groups!).
Now, it is time to delegate tasks for group management. Pleas run wizard on an OU where you have groups to which you want to grant access and follow below steps
go to user/group selection and choose appropriate group to which you are delegating rights
and grant selected group required permissions
and finish wizard. Now we need to only grant permissions to modify groups membership. Run wizard once again and follow below steps
and assign permission selected on a screen below
finish wizard and that’s all you needed to grant for user/group management. Repeat all above steps for another OUs to which you want to grant mentioned permissions for appropriate groups. Now, it’s time to handle HelpDesk role.
Create new global group named role-HelpDesk-it
put there all users who are working on that position and should have assigned appropriate permissions that you configured previously. Now, place role-HelpDesk-it global group into each domain local group to which you delegated tasks. When you do that, role-HelpDesk-it group member will have all required permissions on specified OUs.
From now, each time you add new user into role-HelpDesk-it group he/she will be able to:
- create users
- modify users
- delete users
- resete user passwords
- create group
- modify groups membership
- delete groups
Active Directory Delegating Control ss really great option as you can see!
I hope that I was able to show you a way of delegating tasks instead of granting users “Domain Admins” membership to achieve some basic AD tasks 😀
You can simply try to use another delegation task in AD environment by yourself but remember, if you do not know what you are doing, do not touch productive environment. You can always test everything in test environment.
I wish you good luck and enjoy delegated tasks!
Author: Krzysztof Pytko