Active Directory - delegate control (WS2012R2)
Morning!
Trying to get my head around delegation!
I have got an OU (sales) where I delegated access to a user (Fred) which is not part of the Domain admins.
I just want the user to be able to reset password or create user within this OU. All permissions set correctly.
The issue I am having is that I don't know how user (Fred) can login to AD & create those changes.
I tried login on to the server with Fred details but cannot.
I do get 2 errors while trying to login (by the way this is an hyper v DC)
1) The sign-in method you're trying to use isn't allowed. For more info contact your network administrator
or if trying via RDS
2) To sign in remotely, you need the right to sign through RDS, blah..
(as well as adding Fred though RDS group, he also has been added manually to the RDS on the server)
Not sure what I am missing or even why Fred cannot login to the server after being added manually to the remote access on the server.
Thanks
Trying to get my head around delegation!
I have got an OU (sales) where I delegated access to a user (Fred) which is not part of the Domain admins.
I just want the user to be able to reset password or create user within this OU. All permissions set correctly.
The issue I am having is that I don't know how user (Fred) can login to AD & create those changes.
I tried login on to the server with Fred details but cannot.
I do get 2 errors while trying to login (by the way this is an hyper v DC)
1) The sign-in method you're trying to use isn't allowed. For more info contact your network administrator
or if trying via RDS
2) To sign in remotely, you need the right to sign through RDS, blah..
(as well as adding Fred though RDS group, he also has been added manually to the RDS on the server)
Not sure what I am missing or even why Fred cannot login to the server after being added manually to the remote access on the server.
Thanks
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You can't log in to the DC as that user without them being a member of the remote desktop users group. ideally you install remote server admin tools on the delegated user's computer and use that, rather than allowing them to rdp to the DC.
to be more clear, there are other ways to allow the remote log on with more granular control, however you should still use rsat.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial