Avatar of defrey
defrey
Flag for Australia asked on

Active Directory - delegate control (WS2012R2)

Morning!
Trying to get my head around delegation!
I have got an OU (sales) where I delegated access to a user (Fred) which is not part of the Domain admins.
I just want the user to be able to reset password or create user within this OU. All permissions set correctly.

The issue I am having is that I don't know how user (Fred) can login to AD & create those changes.
I tried login on to the server with Fred details but cannot.
I do get 2 errors while trying to login (by the way this is an hyper v DC)

1) The sign-in method you're trying to use isn't allowed. For more info contact your network administrator

or if trying via RDS

2) To sign in remotely, you need the right to sign through RDS, blah..
(as well as adding Fred though RDS group, he also has been added manually to the RDS on the server)

Not sure what I am missing or even why Fred cannot login to the server after being added manually to the remote access on the server.

Thanks
Active DirectoryWindows Server 2012

Avatar of undefined
Last Comment
compdigit44

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
NinjaStyle82

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
NinjaStyle82

to be more clear, there are other ways to allow the remote log on with more granular control, however you should still use rsat.
defrey

ASKER
Hi Ninja,
I mentioned that he was already a member of the remote desktop users group  "as well as adding Fred though RDS group, he also has been added manually to the RDS on the server"

Any others idea?
NinjaStyle82

do they need to have remote log on permission to the DC or will rsat work? RSAT is a better option.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
compdigit44

I 110% agree with the other experts. If you goal is just to have this user create and reset password, they DO NOT need to log into a DC to do this. They can use RSAT tools from a workstations. Or in are case use the snap-ins via a Citrix hosted app..