Domain Rights

I have the need to promote a user on the domain, but I only want to give the user rights to administer Active Directory user accounts.  I have made this user a member of the built in "Account Operators" group, but this doesn't allow them access to AD.  Is there a way to do this without making this user part of the "Administrators" group?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
What do you mean this does not allow them to access AD?   Can they not install the RSAT tools and use AD Users and Computers to do that?


jfdprattAuthor Commented:
The user has remote desktop access to the domain server that services his group, then he opens AD Users and Computers from there.  When he does open the Users and Computers it prompts for a password. . . showing me that making him a member of 'Account Operators' didn't accomplish what I wanted.
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
First of all, he should not have logon righta to DCs or be member of Administrators or Account Operators groups.  What you need to do is do the following:

1.  Delegate the user required right to desired OUs (if required)
2.  Install RSAT on user's PC

This way user can administer users and computers objects but not DNS, etc.

Refer to link below for more info
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

jfdprattAuthor Commented:
Yes, that is what I was looking to do.  I only want him to administrate user on one particular OU.  I already installed RSAT on his computer, but since it was working and we were testing, I had him remote into the server.

I will have to look at the 209 page document you linked to.  I have never had to 'Delegate the user required rights to a desired OU'.  I have some reading to do.
SandeshdubeySenior Server EngineerCommented:
See this too

Active Directory rights delegation – overview

How to Delegate Basic Server Administration To Junior Administrators

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jfdprattAuthor Commented:
Yes.  I have made those changes in the past, and they didn't work either.  I made a group called "Password_Reset" and assigned the user to this group.  I then delegated control to that OU for that group to just reset passwords.  They still can not gain access to reset passwords.  I checked all the permissions/security setting on the DC too.

This is a remote site and the user is not in right now.  I will troubleshoot with them more in the next hour.
jfdprattAuthor Commented:
Was able to delegate control, then go in and fine tune his permissions once I had them in.  He is able to do just what he needs to do now on only one OU.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.