I need to create a group a group of pseudo admins in AD to manage users at a remote location, but I'm not sure how this should be done

Question

My company is migrating/consolidating domains with several remote business we have purchased, and one of our remotes sites has a pre-existing IT department that we want to keep in place. We would like to give the pre-existing department access to manage their users, groups, and PCs with out giving them access to anything else in our network. Has anyone dealt with this before, and if so how did you set this up?

Edit: I want to specify that this new company will be on the same domain as our existing company. So I need to figure out how to make this work all within one domain.

this is called domain trust, you can delegate the trust in one or both directions — djdomi, Jul 08 '21 at 16:01

score 1 · Answer 1 · answered Jul 08 '21 at 18:54

Based on your question and comments that it will be a single forest/single domain -- then it's just a matter of proper OU structure and Delegation of rights within AD.

See here from Microsoft for more info: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-by-using-ou-objects

Basically you are creating specific OU structures and then setting rights for the IT admins based on your structure you want to delegate.

I need to create a group a group of pseudo admins in AD to manage users at a remote location, but I'm not sure how this should be done

1 Answers1