AD | Delegate Control to a user group
Delegating control of an OU or a branch of OU’s can be extremely useful in tackling accidental mishaps or security loopholes. Using Delegated Controls it allow administrators to set permissions for users to allow specific actions which they are assigned, on objects they are assigned. Although Delegated controls are relevantly easy to assign and setup, they can be troublesome to audit and amend. Good planning before setting up delegation is recommended.
Delegation works by targeting an OU and assigning a group or user certain permissions over that OU. For example an admin may assign the ‘Password reset and force password change on next login’ to user Mike who’s a low level support engineer on the Sales OU. If needed, Mike would only be able to reset passwords for users in the Sales OU or sub OU’s of Sales.
To set up, firstly create the relevant groups in which the permissions to will be assigned to. Although this is not necessary as permissions can be assigned to a user, it is fully recommended as admins will not have to edit the permissions of the OU later on if more users need control.
Once groups have been created and users added. Navigate to the OU in which you would like to delegate privileges. Right click and select Delegate Control:
The Control wizard will appear, click next to start. After the welcome page you will need to add the group in which you would like to assign the permissions too. In the example I’ve used the group Full_Changers.
Click next to continue. On the next step, you can either apply generic tasks or create custom tasks. This is where i selected the ‘Password reset and force password change on next login’ tick box.
Once your happy with your selection click next and finish. Your all set!
To verify the control, open AD Users and Computers and enable the advanced features. Navigate to the OU in which you’ve delegated control and right click on the OU. Click the security tab and find the group you’ve assigned permissions.