Foreword

Today we will create an Active Directory admin group in Windows Server 2012 R2.

The new group will have typical administrator permissions on the OU that you select. We will be enabling User Creation, Password Resets, Group Creation/Deletion, and Computer Creation/Deletion.

A few things that the group will not be able to do:

  • Reorganize OUs
  • Change properties at the domain level

You can enable other permissions if you would like, but these are typically what a Service Desk/IT Agent in an Enterprise environment will require.

Delegation of Control Wizard

The easy way to go about this is through the Delegation of Control Wizard.

You won’t have nearly as many options, but it is much easier:

  1. Open Active Directory Users and Computers
  2. Right click the OU that you want to create the Security Group in, go to New, the click Group

    Active Directory Create New Group

  3.  Name the group
  4. Right click the OU you want to give this group permissions to, then click Delegate Control

    Active Directory Delegate Control

  5. Click Add, then select the group you just made
  6. Check the following options:

    • Create, delete, and manage user accounts
    • Reset user passwords and force password change at next logon
    • Read all user information
    • Create, delete, and manage groups
    • Modify the membership of a group
    • Manage Group Policy links
    • Generate Resultant Set of Policy (Planning)
    • Generate Resultant Set of Policy (Logging)

Now we need to delegate the ability to unlock User accounts

  1. Right click the OU you want to give this group permissions to, then click Delegate Control
  2. Click Add, then select the group you previously made
  3. Select Create a custom task to delegate
  4. Select Only the following objects in the folder and then click User Objects at the end of the list
  5. Select Property-specific under Show these Permissions
  6. Check Read and Write to LockoutTime

You now have an Active Directory Admin group that can be added to your Service Desk/IT staff without exposing the vitals of your environment.

Advanced Security

If you want to get a little more granular with your permissions, you will need to take a slightly longer route:

  1. Open Active Directory Users and Computers
  2. Right click the OU that you want to create the Security Group in, go to New, then click Group

    Active Directory Create New Group

  3.  Name the group
  4. Right click the OU you want to give this group permissions to, then click Properties

    Active Directory OU Properties

  5. Go to the Security tab, then click Advanced
  6. Click Add => Select a principal, then choose the group you just made
  7. Allow the policy on This object and all descendant objects

    Active Directory All Object Permissions

  8. Check the following options

    1. Create User Objects
    2. Create Computer Objects
    3. Delete Computer Objects
    4. Create Group Objects
    5. Delete Group Objects
  9. Click OK
  10. Click Add => Select a principal, then choose the group you just made
  11. Allow the policy on Descendant Computer objects

    Active Directory Permissions - Descendant Computer Objects

  12. Check Full Control, Click OK
  13. Click Add => Select a principal, then choose the group you just made
  14. Allow the policy on Descendant Group objects

    Active Directory Permissions - Descendant Group Objects

  15. Check Full Control, Click OK
  16. Click Add => Select a principal, then choose the group you just made
  17. Allow the policy on Descendant User objects

    Active Directory Permissions - Descendant User Objects

  18. Check Full Control, Click OK
  19. Click OK, then OK again to confirm

You now have an Active Directory Admin group that can be added to your Service Desk/IT staff without exposing the vitals of your environment.

0