I would like to add delegate user ability to:
- add new users to container
- change password
- modify group membership
- modify users properties (such as email / name etc)
- move users between OU's
Basically user will be able to do most things with account besides deleting it. I tried using Delegation of Control Wizard but the common tasks are too wide (usually including Delete part) so I need to go into custom task to delegate.
This are the options that I selected:
- Only the following objects in the folder (User objects)
But the last permissions page is very wide and I wouldn't like to give user too much power. Can anyone share which options are necessary for the specified question? And as an extension to this write what each option means and what power it assigns?
To delegate permission for a domain user to:
I had to create 2 groups as Delegation Wizard wouldn't let me specify what to choose on each User object when I choose more then User object. So I decided to create 2 groups. One for user management and one for group management.
First one required this steps:
Delegate ControlNextNextCreate a custom task to delegateand chooseNextOnly the following objects in the folderand go to the bottom of the list and chooseUser objects. Choosing anything more then just one entry will not give you possibility of granular choice of properties to change.Create selected objects in this folderchecked and pressNextChoose:
This allows to create user and enable / disable user but not delete it. At this moment user isn't able to change group membership as this has to be done differently.
You should take a look at the available ACEs on the user objects and delegate what you need, minus the
DeleteACE.Although, it is still better practice to only give these types of rights to people you can trust to not delete your objects. There certainly will be accidents, but as I mentioned before, there are backups and other ways (prevent accidental deletion, AD recycle bin) to recover from those.