SOLVED: How to Delegate Rights to Help Desk Staff to Fully Manage Users Without Giving Them Domain Admin Rights

Published by Ian Matthews on

It’s very common to want to allow a small group of people or even a help desk possibly from a third party company manage service provider to manage user accounts in Active Directory.

As you can see in the screenshot below it’s not exactly rocket science but there is a quirk we’ll have to explain:

How To Install RSAT AD Users & Computers on a Member Server

If you don’t already have RSAT ADUC installed on a member server, you can easily change that:

  1. Launch Server Manager and wait for it to finish setting up
  2. Click on Manage (top right corn)
  3. Select Add Roles and Features
  4. Click Next until you reach the Select Features section
  5. Select RSAT:
    • Scroll down and expand Remote Server Administration Tools
    • Select Role Administration Tools
    • Check AD DS and AD LDS Tools
    • Ensure Active Directory Users and Computers is selected
  6. Click Next and then Install

How To Delegate Rights To Help Desk Staff To Manage Users in ADUC

  1. Launch Active Directory Users and Computers
  2. Expand ADUC to the OU where the user accounts are located
  3. Right-click on the OU and select Delegate Control
  4. Click Next then Add to select the users or groups you want to delegate control to
    • For example, you might add a group called “Help Desk”
  5. Select Reset user passwords and force password change at next logon
    • You can also choose other tasks if needed

However, strangely security items like “Reset user passwords and force password change at next logon” do NOT provide the ability to UNLOCK user accounts and that is something most Help Desk staff need to do frequently so you might have to:

  1. Select Create a custom task to delegate and click Next.
  2. Click Only the following objects in the folder and select User objects. Click Next
  3. In the Permissions list, check the following:
    • Read lockoutTime and Write lockoutTime (to unlock accounts)
    • Reset password (to reset passwords)
    • Create user objects (to create new accounts)
    • Delete user objects (to delete accounts)

Alternately you can do what we did in the pink section of the screen shot above, which is to give our Help Desk staff FULL CONTROL, which does include the ability to unlock user accounts in AD.

Categories: Windows 11 & Windows 10Windows Server

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

brown box icon on file icons

SOLVED: Brown Box Icon at Bottom Left of File Icons

The brown box icon on some of your icons relate to OneDrive and what is now called “FILES ON DEMAND”.  OneDrive’s Files On-Demand feature allows you to access all your files in OneDrive without having Read more…

disk volume number after clone

SOLVED: Users and Computer Changes Syncing But GPO’s and Scripts Are Not

We have a new customer whose Group Policies (GPO’s) and Scripts were not synchronizing between their two Domain Controllers, even though changes to Users and Computers were synchronized. Did you know that Active Directory changes Read more…

DFS State Codes

SOLVED: DFS State Query & Codes Explained

If you have worked with Active Directory on Windows Servers, you may have run into problems with things like GPO’s and Scripts not syncing between Domain Controllers and wondered how to troubleshoot it. In addition Read more…