Albert Widjaja
asked on
Delegate IT support account to manage AD accounts and Groups in AD ?
People,
In my AD domain with Windows Server
How can I grant my newly created DOMAIN\IT-Support team permission to:
1. Create & Reset AD account other than DOMAIN\Administrator
2. Create & Delete AD group and edit the existing AD security & distribution group members
Because when I follow the steps in: https://community.spiceworks.com/how_to/1464-how-to-delegate-password-reset-permissions-for-your-it-staff, on steps #2 and #3
the DOMAIN\IT-Support account cannot do any operations with AD security group ?
In my AD domain with Windows Server
How can I grant my newly created DOMAIN\IT-Support team permission to:
1. Create & Reset AD account other than DOMAIN\Administrator
2. Create & Delete AD group and edit the existing AD security & distribution group members
Because when I follow the steps in: https://community.spiceworks.com/how_to/1464-how-to-delegate-password-reset-permissions-for-your-it-staff, on steps #2 and #3
the DOMAIN\IT-Support account cannot do any operations with AD security group ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks !
ASKER
I've got multiple site offices so the users OU is spread across multiple different OU, hence I must add the delegation from the root domain for this one particular AD account.
I want to know how is that possible in AD so that this DOMAIN\IT-Support account only can crease read update delete Accounts and Groups in all AD but not escalating itself as DOMAIN Admins.