I have been saying for years that a good IT department in a secure, well-managed infrastructure will give their end users the tools they need to do their job… and nothing more.
If that is true for end users, shouldn’t it also be true for the IT department themselves? It is frustrating to see the number of shops I go into where there are fifteen or twenty members of the Domain Admins group, and for the silliest reasons.
- Create, delete, and manage user accounts
- Reset user passwords and force password change at next logon
- Read all user information
- Modify the membership of a group
- Join a computer to the domain
- Manage Group Policy links
- Generate Resultant Set of Policy (Planning)
- Generate Resultant Set of Policy (Logging)
- Create, delete, and manage inetOrgPerson accounts
- Reset inetOrgPerson passwords and force password change at next logon
- Read all inetOrgPerson information
These permissions can be set either at the domain level, or at the Organizational Unit (OU) level (except Join a computer to the domain, which must be set at the domain). In order to do it:
- Open Active Directory Users and Computers (ADUC)
- Right-click on the domain (or OU) where you want to assign the permission
- Click Delegate Control…
- On the Welcome to… window click Next
- On the Users or Groups window click Add… and select the security group (or individual) that you want to affect. Click Add, then click Next
- On the Tasks to Delegate window select the tasks from the list, and then click Next
- On the Completing the Delegation of Control Wizard window click Finish.
Remember, if you have multiple sites across slow links this might take a while to propagate, but you are done. That’s it!
I hope this helps. Really, it has not changed much in fifteen years, but sometimes it is important to refresh knowledge, especially for the newer generations of IT Admins!