Active Directory - delegate control (WS2012R2)

Trying to get my head around delegation!
I have got an OU (sales) where I delegated access to a user (Fred) which is not part of the Domain admins.
I just want the user to be able to reset password or create user within this OU. All permissions set correctly.

The issue I am having is that I don't know how user (Fred) can login to AD & create those changes.
I tried login on to the server with Fred details but cannot.
I do get 2 errors while trying to login (by the way this is an hyper v DC)

1) The sign-in method you're trying to use isn't allowed. For more info contact your network administrator

or if trying via RDS

2) To sign in remotely, you need the right to sign through RDS, blah..
(as well as adding Fred though RDS group, he also has been added manually to the RDS on the server)

Not sure what I am missing or even why Fred cannot login to the server after being added manually to the remote access on the server.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NinjaStyle82Systems AdministratorCommented:
You can't log in to the DC as that user without them being a member of the remote desktop users group. ideally you install remote server admin tools on the delegated user's computer and use that, rather than allowing them to rdp to the DC.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NinjaStyle82Systems AdministratorCommented:
to be more clear, there are other ways to allow the remote log on with more granular control, however you should still use rsat.
defreyAuthor Commented:
Hi Ninja,
I mentioned that he was already a member of the remote desktop users group  "as well as adding Fred though RDS group, he also has been added manually to the RDS on the server"

Any others idea?
NinjaStyle82Systems AdministratorCommented:
do they need to have remote log on permission to the DC or will rsat work? RSAT is a better option.
I 110% agree with the other experts. If you goal is just to have this user create and reset password, they DO NOT need to log into a DC to do this. They can use RSAT tools from a workstations. Or in are case use the snap-ins via a Citrix hosted app..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.