In this article we’ll consider how to delegate administrative privileges in the Active Directory domain. Delegation allows you to provide some AD management tasks to common domain users without making them the members of the privileged domain groups, like Domain Admins, Account Operators, etc. For example, you can use delegation to grant a certain AD security group (say, Helpdesk) the permissions to add users to groups, to create new users in AD and to reset account passwords.
Features of Control Delegation in Active Directory
To delegate privileges in AD the Delegation of Control Wizard in Active Directory Users and Computers (DSA.msc) is used.
You can delegate administrative privileges in AD on a quite detailed level. You can grant one group the permissions to reset passwords in the OU, another one – to create and delete accounts, and the third one – to reset passwords. You can configure permission inheritance for the nested OUs. Privileges can be delegated on the following domain levels:
- AD site;
- The whole domain;
- A specific Organizational Unit (OU) in Active Directory.
Usually it is not recommended to delegate control directly to a user account. Create a new security group in AD instead, add a user to it and delegate permissions on an OU to the group. If you want to grant the same privileges to another user, just add them to this security group.Please note that you should not grant anybody the permissions to manage the OU with the administrative accounts. Otherwise, any support team member will be able to reset the password of the domain administrator. All privileged users and groups must be placed to a separate OU that is not subject to delegation rules.
Delegate Password Reset and Unlock Account Permissions in AD
Let’s imagine that our task is to grant the HelpDesk group the permissions to reset passwords and unlock user accounts in the domain. Let’s create a new security group in AD using PowerShell:
New-ADGroup "HelpDesk" -path 'OU=Groups,OU=NewYork,OU=US,dc=contoso,DC=com' -GroupScope Global
Add users you want to this group:
Add-AdGroupMember -Identity HelpDesk -Members EndUser1, EndUser2
Run the Active Directory Users and Computers (dsa.msc) console, right-click the OU with the users (in our example it is ‘OU=Users,OU=NewYork,OU=US,dc=contoso,DC=com’) and select the Delegate Control menu item.
Select the group you want to grant administrative privileges to.
Select one of the preconfigured set of privileges (Delegate the following common tasks):
- Create, delete, and manage user accounts;
- Reset user passwords and force password change at next logon;
- Read all user information;
- Create, delete and manage groups;
- Modify the membership of a group;
- Manage Group Policy links;
- Generate Resultant Set of Policy (Planning);
- Generate Resultant Set of Policy (Logging);
- Create, delete, and manage inetOrgPerson accounts;
- Reset inetOrgPerson passwords and force password change at next logon;
- Read all inetOrgPerson information.
Or create your own delegation task (Create a custom task to delegate). I will select the second option.
Select the type of AD objects on which you want to grant administrative privileges. Since we want to grant control over user accounts, select the User Object item. If you want to provide permissions to create or delete users in the OU, select the options Create/Delete selected objects in this folder. In our example we don’t grant these privileges.
In the list of permissions you need to select those you want to delegate. In our example, we’ll select the privileges to unlock account (Read lockoutTime and Write lockoutTime) and to reset a password (Reset password).In order for the HelpDesk team to identify the source of the account lockouts in the domain, you must grant them the privilege to search security logs on the domain controllers.
Click Next, and confirm the delegation of the selected privileges on the last screen.
Under a user account from the HelpDesk group try to reset a password of a user from the OU Users using PowerShell:
Set-ADAccountPassword StaffMember1 -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “P@ssdr0w1” -Force -Verbose) –PassThru
The password should be reset successfully (if it corresponds to the domain password policy).
Now try to create a user in this OU using the New-ADUser cmdlet:
New-ADUser -Name StaffMember2 -Path 'OU=Users,OU=NewYork,OU=US,DC=contoso,DC=com' -Enabled $true
An access error will appear since you haven’t delegated the privilege to create new AD accounts.
To control the users you have delegated some privileges, you can use the domain controller security logs. For example, you can track who has reset a user password in the domain, who created a user account in AD or changes in sensitive AD groups.
Delegation of Privileges to Join Computers to AD Domain
By default, any domain user can join up to 10 computers to the domain. When adding the 11th computer, this error message appears:Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.
You can change this restriction on the whole domain level by increasing the value in the ms-DS-MachineAccountQuota attribute. Or (which is more reasonable and secure) by delegating the right to join computers to a certain OU in the domain to the specific group of users (helpdesk). To do it, delegate the privilege to create objects with the type Computer objects. In the Delegation of Control Wizard, select Create selected objects in this folder.
Select Create All Child Objects in the Permissions section.
How to Remove Delegated Permissions in AD Domain?
To remove delegated permissions for the AD security group, open the OU properties in the ADUC console and go to the Security tab.
In the list of permissions, find the group you have delegated the privileges to and click Remove. You can view the list of the delegated permissions in the Advanced tab. As you can see, the HelpDesk group can reset user passwords.
Also in the Security -> Advanced tab you can configure the control delegation by assigning non-standard permissions for various security groups.