Grant someone limited access to manage Active Directory.


I have forgotten this task which I need some assistance please.

I need to delegate someone limited access to manage Active Directory.  Basically, manage/add/delete user accounts and passwords.  Manage/add/delete computer accounts.  Create OUs but cannot delete.  

The ms-DS-MachineAccountQuota of my domain is not set.  I should not have to worry about this attritube if add/delete computer accounts permission has been set, right? Is the default 10?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mitul PrajapatiIT SupervisorCommented:
Check out below Youtube video and follow the steps will sort out your delegation demand.

Open Active Directory Users and computer --> right click on OU --> Delegate control and follow the steps. Done!!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sekar ChinnakannuStaff EngineerCommented:
For your requirement you need to delegate the permission to specific group or user. This one ms-DS-MachineAccountQuota it's up to you, if its 0 then normal users can't add machines to domain. Only the group or users can add the machines to domain based on the delegation which set. For steps
Shaun VermaakTechnical SpecialistCommented:
Use my principle of role and delegation groups. You can also find a custom Delegwiz.inf that extend the default delegation wizard templates.
Sam BloomCommented:
If you want to delegate it to users, it's good to have a comprehensive GUI for that. Allowing users to play with ADUC is probably not the best idea you can come up with. In most cases end users like managers or other members of staff don't even need to know what Active Directory is.

There are third-party tools that let you delegate such tasks via a web interface that you can configure to show only the parts of AD that users need to see and provide them with operations that they need. Here's an example: Also, here's an article that shows how you can hide parts of AD from users:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.