Active Directory user right delegation

I am using Windows 2008 R2 Domain Controller. I have delegated control to a particular user called "USER-1" to reset password of members belonging to a particular OU.

I include USER-1 to "Remote Desktop Users" group and assign the right "Allow logon through Remote Desktop Services".

Next I log in to the Domain Controller through Remote Desktop using the authentication of USER-1. After that when I am trying to open Active Directory Users & Computers, it is asking for Administrator password. Without the Administrator password USER-1 is not able to open the mmc.

Need help in this regard so that USER-1 can access Active Directory Users & Computers using his credentials.
hchabriaAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
mrfixit584Connect With a Mentor Commented:
I don't recommend allowing a non-domain admin to logon to the DC. I recommend installing the Adminpak on the user's PC and having him run it from there.
0
 
Shreedhar EtteCommented:
0
 
hchabriaAuthor Commented:
Hi Shree,
I am not asking for how to implement delegation of administratration, that has been done successfully. My question is that after delegating rights to a user to a particular OU, when that user is trying to access Active Directory Users and Computers by logging into the Domain Controller using Remote Desktop, it is asking for administrator authentication. Without it the user is not able to access Active Directory Users and Computers. Why is it so?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
elawadCommented:
Try to add the user1 to domain account operators group and try again.
0
 
hchabriaAuthor Commented:
Hi elawad,
I have added User-1 to Account Operators group, but still the problem persists.
0
 
elawadCommented:
please read this article, it will give you an idea on the permissions needed for users to be able to work with active directory users and computers mmc.
http://technet.microsoft.com/en-us/library/bb727067.aspx
0
 
elawadCommented:
and make sure if you logon with your domain administrator account to right click on the active directory users and computers icon then properties then security,make surethe everyone group and the users group are there and have the read and execute permissions on this shortcut.
0
 
Shreedhar EtteCommented:
Hi,

Refer this article:
http://support.microsoft.com/kb/296999

I hope this helps,
Shree
0
 
msmamjiCommented:
Did you try disable UAC
0
 
hchabriaAuthor Commented:
Sorry for late response. If I include the USER-1
0
 
hchabriaAuthor Commented:
Sorry for late response. Here is a update.... Now if I include the USER-1 to "Account Operators" group, then the user is able to access Active Directory Users and Computers from Remote Desktop, but he is again asking for putting his password for accessing AD Users and Computers which should not because of single sign-on feature.

But the problem is that in that case the users has full rights to delete/create user objects in any OU, which I don't want.
0
 
hchabriaAuthor Commented:
If I go to Security by right clicking on Active Directory Users and Computer, it is showing Everyone has Read & execute and Read permission.
0
 
hchabriaAuthor Commented:
Installing Aminpak solved the problem.
0
All Courses

From novice to tech pro — start learning today.