Grant permission in Active Directory to add users / modify / changed password / add them to group them but not delete them
To delegate permission for a domain user to:
- add new users to container
- change password
- modify group membership
- modify users properties (such as email / name etc)
- move users between OU's
I had to create 2 groups as Delegation Wizard wouldn't let me specify what to choose on each User object when I choose more then User object. So I decided to create 2 groups. One for user management and one for group management.
First one required this steps:
- Right click on container and choose
Delegate Control
- When Delegation Wizard opens up click
Next
- On another page choose group you want to give permissions to and press
Next
- On next page
Create a custom task to delegate
and chooseNext
- Choose
Only the following objects in the folder
and go to the bottom of the list and chooseUser objects
. Choosing anything more then just one entry will not give you possibility of granular choice of properties to change. - Make sure to have
Create selected objects in this folder
checked and pressNext
-
Choose:
- Read All Properties
- Write All Properties
- Read and write general information
- Read and write logon information
- Read and write phone and mail options
- Read and write web information
- Read and write Terminal Server license server
- Read and write remote access information
- Change password
- Reset password
This allows to create user and enable / disable user but not delete it. At this moment user isn't able to change group membership as this has to be done differently.