Password reset for an user or moving him not possible for some AD administrators

Hi there,

we have a problem with our Active Directory administrators. Some of them are not able to reset a password for some users or move them to another OU. They are NOT domain admins. Do you know some best practices for setting rights for such administrators? They primarily have to manage user accounts (add/delete users, move them...), add user-groups and add computers to the domain. Another admin is responsible for managing the OUs and another one for managing the group policies.
Are their issues with owner of an user, e.g. if a domain admin has created it a "normal" admin can not manage it completely?

Some tips would be gread!

Regards, Ralph
Who is Participating?
TasmantConnect With a Mentor Commented:
Hi Ralph,

You could styudy this great documentation, online or offline

To quickly answer your question, your administrators responsible for the same tasks should be added to a security group especially designed for this role.
This security group should get rights on Active Directory tree, basically:
- Reset Password for User Object only
- Delete/Create User Object (this operation result in a "move", delete from strart OU, create in destination OU)
- Modify attributes member/memberof for User Object and Group Object

Managing OUs should be in a separate role, as well as managing Group Policies. You have to add on each GPO object the requested security groups. There is other way, but it requires to change Schema.

Hope this will help you.
Krzysztof PytkoConnect With a Mentor Senior Active Directory EngineerCommented:
You should consider in this case task delegation using to Active Directory Rights Delegation wizard.

If you're interested, please visit my blog and read article for that

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.