Link to home
Create AccountLog in
Avatar of Rammy Charles
Rammy CharlesFlag for United States of America

asked on

Active Directory Administrative Permissions for Users Within OUs

For a Windows 2008 functional level Active Directory, what bare minimum permissions are required to allow a user to be able to unlock other users in the same OU as that user?

Trying to test this out via PowerShell but would like to only give the user bare minimum rights.

Is there also a permission that can be added to allow the user to reset other user passwords (only within that same OU)?
ASKER CERTIFIED SOLUTION
Avatar of Old User
Old User
Flag of Afghanistan image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Rammy Charles

ASKER

When using Method 2 (ADSI Edit) and pulling up the user (principal), it defaults to add a number of permissions. Are those required or can they be deselected (List contents, read all properties, read permission, and so on).

The article states that it only needs Read lockoutTime and Write lockoutTime so do not want to add more permissions that required for that user.