Allowing the HR Department to enter users into Active Directory / Exchange instead of IT?

It is certainly possible to delegate a limited set of privileges to manage user objects. I work at an educational service provider, and on of our departments deals with a lot of students that are only present for a couple weeks, and they are constantly coming and going. It would be a pain for us to manage the accounts for them. So we delegated privileges to one of the staffers for that program.

We haven't decided not to do it, but we had been investing integrating our payroll system directly into the AD via SIF. It should be possible for the accounts to automatically be created. All the software exists to do this, but since we are not a traditional school it didn't exactly fit our requirements.

If you do choose to delegate this, you may need to evaluate your security requirements. Perhaps you can let HR create the accounts, but don't permit them to modify group membership. That way it requires some kind of request to someone to double check the privileges requested are valid for that person.


One of my AD deployments involves hundreds of overseas employees and a multitude of projects. One of the products we work with also required a separate logon, much as you describe.

I was not able to find a unified way to allow access to the second product. In the end I went with their AD integration as hokey as it is.

Delegating permissions to staff outside of IS became a definitive business requirement. At the end of the day we had a couple levels of delegate access - one which allows non IS users to create projects and do general AD management tasks (limited to one branch of AD) and another for user management including new users, group membership and password resets.

The biggest thing I found is that it is imperative to set permissions on your groups as well. If set up properly your delegated users will be able to move users between common groups without the ability to perform privilege escalation attacks.


Where I've been that would be a task that is completed by the System Administrator using information provided by the HR department through a work order or ticket system.

I have configured Active Roles Server for a help desk I supported which you could use to do what you're trying to do but you'd have to decide if the effort is justified based on your user base.