• Status: Solved
  • Priority: Medium
  • Security: Private
  • Views: 27
  • Last Modified:

Grant someone limited access to manage Active Directory.


I have forgotten this task which I need some assistance please.

I need to delegate someone limited access to manage Active Directory.  Basically, manage/add/delete user accounts and passwords.  Manage/add/delete computer accounts.  Create OUs but cannot delete.  

The ms-DS-MachineAccountQuota of my domain is not set.  I should not have to worry about this attritube if add/delete computer accounts permission has been set, right? Is the default 10?

2 Solutions
Mitul PrajapatiJunior IT EngineerCommented:
Check out below Youtube video and follow the steps will sort out your delegation demand.


Open Active Directory Users and computer --> right click on OU --> Delegate control and follow the steps. Done!!
Sekar ChinnakannuStaff EngineerCommented:
For your requirement you need to delegate the permission to specific group or user. This one ms-DS-MachineAccountQuota it's up to you, if its 0 then normal users can't add machines to domain. Only the group or users can add the machines to domain based on the delegation which set. For steps https://blogs.technet.microsoft.com/dubaisec/2016/02/01/who-can-add-workstation-to-the-domain/
Shaun VermaakTechnical Specialist/DeveloperCommented:
Use my principle of role and delegation groups. You can also find a custom Delegwiz.inf that extend the default delegation wizard templates.
Sam BloomCommented:
If you want to delegate it to users, it's good to have a comprehensive GUI for that. Allowing users to play with ADUC is probably not the best idea you can come up with. In most cases end users like managers or other members of staff don't even need to know what Active Directory is.

There are third-party tools that let you delegate such tasks via a web interface that you can configure to show only the parts of AD that users need to see and provide them with operations that they need. Here's an example: http://www.adaxes.com/active-directory_web-interface.htm Also, here's an article that shows how you can hide parts of AD from users: http://www.adaxes.com/tutorials_DelegatingPermissions_HideADObjectsFromUsers.htm
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now