Create an Active Directory Admin Group Win 2012 R2

—-
[[[TOC]]]
—-
== Foreword ==
Today we will create an Active Directory admin group in Windows Server 2012 R2.

The new group will have typical administrator permissions on the OU that you select. We will be enabling User Creation, Password Resets, Group Creation/Deletion, and Computer Creation/Deletion.

A few things that the group will not be able to do:

• Reorganize OUs
• Change properties at the domain level

You can enable other permissions if you would like, but these are typically what a Service Desk/IT Agent in an Enterprise environment will require.
== Delegation of Control Wizard ==
The easy way to go about this is through the Delegation of Control Wizard.

You won’t have nearly as many options, but it is much easier:

1. Open Active Directory Users and Computers
2. Right click the OU that you want to create the Security Group in, go to New, the click Group
   [[image:Active-Directory-Create-New-Group.png|link=source]]
3.  Name the group
4. Right click the OU you want to give this group permissions to, then click `Delegate Control`
   [[image:Active-Directory-Delegate-Control.png|link=source]]
   • Note that in order to follow the Principle of least privilege, you should not give the group access to the whole domain
5. Click `Add`, then select the group you just made
6. Check the following options:
   • Create, delete, and manage user accounts
   • Reset user passwords and force password change at next logon
   • Read all user information
   • Create, delete, and manage groups
   • Modify the membership of a group
   • Manage Group Policy links
   • Generate Resultant Set of Policy (Planning)
   • Generate Resultant Set of Policy (Logging)

Now we need to delegate the ability to unlock User accounts

1. Right click the OU you want to give this group permissions to, then click `Delegate Control`
2. Click `Add`, then select the group you previously made
3. Select `Create a custom task to delegate`
4. Select `Only the following objects in the folder` and then click `User Objects` at the end of the list
5. Select `Property-specific` under `Show these Permissions`
6. Check Read and Write to `LockoutTime`

You now have an Active Directory Admin group that can be added to your Service Desk/IT staff without exposing the vitals of your environment.
== Advanced Security ==
If you want to get a little more granular with your permissions, you will need to take a slightly longer route:

1. Open Active Directory Users and Computers
2. Right click the OU that you want to create the Security Group in, go to New, then click Group
   [[image:Active-Directory-Create-New-Group.png|link=source]]
3.  Name the group
4. Right click the OU you want to give this group permissions to, then click `Properties`
   [[image:Active-Directory-OU-Properties.png|link=source]]
   • Note that in order to follow the Principle of least privilege, you should not give the group access to the whole domain
5. Go to the `Security` tab, then click `Advanced`
6. Click `Add` => `Select a principal`, then choose the group you just made
7. Allow the policy on `This object and all descendant objects`
   [[image:Active-Directory-All-Object-Permissions.png|medium|link=source]]
8. Check the following options
   1. Create User Objects
   2. Create Computer Objects
   3. Delete Computer Objects
   4. Create Group Objects
   5. Delete Group Objects
9. Click `OK`
10. Click `Add` => `Select a principal`, then choose the group you just made
11. Allow the policy on `Descendant Computer objects`
    [[image:Active-Directory-Permissions-Descendant-Computer-Objects.png|link=source]]
12. Check `Full Control`, Click `OK`
13. Click `Add` => `Select a principal`, then choose the group you just made
14. Allow the policy on `Descendant Group objects`
    [[image:Active-Directory-Permissions-Descendant-Group-Objects.png|link=source]]
15. Check `Full Control`, Click `OK`
16. Click `Add` => `Select a principal`, then choose the group you just made
17. Allow the policy on `Descendant User objects`
    [[image:Active-Directory-Permissions-Descendant-User-Objects.png|link=source]]
18. Check `Full Control`, Click `OK`
19. Click `OK`, then `OK` again to confirm

You now have an Active Directory Admin group that can be added to your Service Desk/IT staff without exposing the vitals of your environment.