Domain Rights

I have the need to promote a user on the domain, but I only want to give the user rights to administer Active Directory user accounts.  I have made this user a member of the built in "Account Operators" group, but this doesn't allow them access to AD.  Is there a way to do this without making this user part of the "Administrators" group?
Who is Participating?
SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
See this too

Active Directory rights delegation – overview

How to Delegate Basic Server Administration To Junior Administrators
Mike KlineCommented:
What do you mean this does not allow them to access AD?   Can they not install the RSAT tools and use AD Users and Computers to do that?


jfdprattAuthor Commented:
The user has remote desktop access to the domain server that services his group, then he opens AD Users and Computers from there.  When he does open the Users and Computers it prompts for a password. . . showing me that making him a member of 'Account Operators' didn't accomplish what I wanted.
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
First of all, he should not have logon righta to DCs or be member of Administrators or Account Operators groups.  What you need to do is do the following:

1.  Delegate the user required right to desired OUs (if required)
2.  Install RSAT on user's PC

This way user can administer users and computers objects but not DNS, etc.

Refer to link below for more info
jfdprattAuthor Commented:
Yes, that is what I was looking to do.  I only want him to administrate user on one particular OU.  I already installed RSAT on his computer, but since it was working and we were testing, I had him remote into the server.

I will have to look at the 209 page document you linked to.  I have never had to 'Delegate the user required rights to a desired OU'.  I have some reading to do.
jfdprattAuthor Commented:
Yes.  I have made those changes in the past, and they didn't work either.  I made a group called "Password_Reset" and assigned the user to this group.  I then delegated control to that OU for that group to just reset passwords.  They still can not gain access to reset passwords.  I checked all the permissions/security setting on the DC too.

This is a remote site and the user is not in right now.  I will troubleshoot with them more in the next hour.
jfdprattAuthor Commented:
Was able to delegate control, then go in and fine tune his permissions once I had them in.  He is able to do just what he needs to do now on only one OU.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.