Delegation of Control Wizard

Posted on 2007-09-29
Medium Priority
Last Modified: 2013-12-04
I have two problems.

My network is at a school, and what i want is to allow my Teacher users to reset the passwords of my students, but not administrators passwords. I have 3 OUS
3-Students - under that OU are OU's for their year groups eg. Year 7

if i use delegation of control wizard on a teacher account i found that they can only control users in their OU. is there a way of allowing them to control users in the STUDENT OU without moving them out of the TEACHERS OU as this would change the security permissions such as what they can access?

Also i would like to create an account called BUILDXP that has permission to add a computer to the domain without making the account an Administrator and without putting it in a OU with computers as i have different OUs for teacher and student pc's.

can anyone help?
Question by:andrewjones1987
  • 3
  • 2
LVL 70

Expert Comment

ID: 19985571
You can delegate to a user in another OU - I just tried it to make make sure!

Select the OU that you want to deleagte control of - ie Students, and right click
Select Delegate Control Wizard

Start the delegation of Control wizard and select who you want to deleate to (I would create a security group with the teachers in it and delegate to the group - it much easier to make changes that way - when a new teacher is employed - you can just ad them to the group)
LVL 70

Expert Comment

ID: 19985589
For your second question (should have been 2 seperate post I feel) then simply assign the BUILDXP account the necessay right to add a computer to the domain - see http://support.microsoft.com/kb/139365

Author Comment

ID: 19985655
for the first comment does that mean that all users in OU's that are inside the students OU will be affected as well, as this is what i want.

for the second comment, it doesn't tell me how to do this.
LVL 70

Accepted Solution

KCTS earned 2000 total points
ID: 19986641
If you right click on the Students OU and then delegate permissions to a group in the Teachers OU then you will delegate the defined permissions for all objects in that OU.

So in this case of you rignt click on the Students OU and delegate permissions to reset passwords to a security group in the teachers OU is gives that group the right to change passwords for anyone in the students OU. - but that ou only


Author Comment

ID: 20006434
not ou's beneath students? or do i have to run the wizard on every folder under students?

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question