Active Directory user right delegation

I am using Windows 2008 R2 Domain Controller. I have delegated control to a particular user called "USER-1" to reset password of members belonging to a particular OU.

I include USER-1 to "Remote Desktop Users" group and assign the right "Allow logon through Remote Desktop Services".

Next I log in to the Domain Controller through Remote Desktop using the authentication of USER-1. After that when I am trying to open Active Directory Users & Computers, it is asking for Administrator password. Without the Administrator password USER-1 is not able to open the mmc.

Need help in this regard so that USER-1 can access Active Directory Users & Computers using his credentials.
hchabriaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shreedhar EtteCommented:
0
hchabriaAuthor Commented:
Hi Shree,
I am not asking for how to implement delegation of administratration, that has been done successfully. My question is that after delegating rights to a user to a particular OU, when that user is trying to access Active Directory Users and Computers by logging into the Domain Controller using Remote Desktop, it is asking for administrator authentication. Without it the user is not able to access Active Directory Users and Computers. Why is it so?
0
elawadCommented:
Try to add the user1 to domain account operators group and try again.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

hchabriaAuthor Commented:
Hi elawad,
I have added User-1 to Account Operators group, but still the problem persists.
0
elawadCommented:
please read this article, it will give you an idea on the permissions needed for users to be able to work with active directory users and computers mmc.
http://technet.microsoft.com/en-us/library/bb727067.aspx
0
elawadCommented:
and make sure if you logon with your domain administrator account to right click on the active directory users and computers icon then properties then security,make surethe everyone group and the users group are there and have the read and execute permissions on this shortcut.
0
Shreedhar EtteCommented:
Hi,

Refer this article:
http://support.microsoft.com/kb/296999

I hope this helps,
Shree
0
msmamjiCommented:
Did you try disable UAC
0
hchabriaAuthor Commented:
Sorry for late response. If I include the USER-1
0
hchabriaAuthor Commented:
Sorry for late response. Here is a update.... Now if I include the USER-1 to "Account Operators" group, then the user is able to access Active Directory Users and Computers from Remote Desktop, but he is again asking for putting his password for accessing AD Users and Computers which should not because of single sign-on feature.

But the problem is that in that case the users has full rights to delete/create user objects in any OU, which I don't want.
0
hchabriaAuthor Commented:
If I go to Security by right clicking on Active Directory Users and Computer, it is showing Everyone has Read & execute and Read permission.
0
mrfixit584Commented:
I don't recommend allowing a non-domain admin to logon to the DC. I recommend installing the Adminpak on the user's PC and having him run it from there.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hchabriaAuthor Commented:
Installing Aminpak solved the problem.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.