1

Domain Controller - Windows Server 2008 R2 standard

I need to delegate only below task to helpdesk id for specific OU i.e

1) Creating User

2) and after creating that user, add them to specific Group Only i.e FT, BD, Domain Local Security Group only.

I don't want to delegate Helpdesk Engineer rights to add him to other Security Group such as Admin or Domain admin group.

As per delegate Control Windows, there is no such option, please help me how can i give rights with OU Properties > Security Tab

enter image description here

Param
  • 1,357
  • 14
  • 36
  • 52

1 Answers1

2

I wouldn't use the security tab direct, Instead Right click the OU and use the delegation of control wizard. Through there you can delegate the right to create, delete and manage user accounts or if you only want to give someone the ability to create use accounts, choose to create a custom task and then only assign the right to create user accounts.

As for the group, well you can delegate group tasks there as well.

Also each group has a managed by tab, you could make your helpdesk group the manager of your other groups using this tab so that they can adjust membership of that group (this is not very scalable though).

Finally there is the Account Operators group, you can make people a member of this group and they will be able to administer user and group accounts (not domain admin groups) but it would give them rights across the whole domain and not a specific OU.

Michael Brown
  • 3,254
  • 2
  • 11
  • 11