• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 50
  • Last Modified:

Active Directory domain delegation.

Hello,

I have setup AD domain delegation to a Helpdesk group so they can manage AD accounts.  

The permission is being listed in the attached.  

I am seeing two issues:

1. The tech cannot delete computer accounts in AD.
2. The tech cannot create a new OU in AD.  

Please advise how this can be fixed.  

Thanks in advance ; )
delegate.png
cannot-remove-computer-object.png
0
nav2567
Asked:
nav2567
  • 2
3 Solutions
 
IvanSystem EngineerCommented:
Hi,

you need to edit permissions you assigned to tech, so they can delete computer object.
As per picture you have attached, there is no permission for that operation.

So, right click OU that you have delegated control, go to Properties, Security, Advanced, Permissions, click Add and assigne "Delete Computer Object" for that Tech group.

Here is that info: http://sigkillit.com/2013/06/12/delegate-adddelete-computer-objects-in-ad/

Regards,
Ivan.
0
 
IvanSystem EngineerCommented:
PS> I dont have access to server atm, but i think the same thing goes for creating OU. If it is sub-OU, then you need to assigne Create-Child Organizational Unit.
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
Extend the delegation wizard with the custom inf file from my article. Your delegation does not include computers
https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html
0
 
Naveen SharmaCommented:
You can delegate administrative privileges in Active Directory with Delegation of Control Wizard

Open Active Directory Users and Computers

In the details menu, right click the organizational unit, click delegate control

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd145344(v=ws.11)

https://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/

Also, check this AD self service solution to reduce unnecessary helpdesk calls.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now