Delegation of Control

[Marko]

Hi guys,
I wanted to delegate some control to junior system admins
in my AD structure. I entered the delegation of control
wizard and gave my junior admins the ability to reset
passwords. However, to my dismay, they were also able to
delete users. What I really wanted was the ability for
them to reset passwords and unlock user accounts. Can
anyone give me some help as how to perform the desired
goal.
Thanks,
Marko

 

[Tim Springston \(MSFT\)]

Hi Marko-

For the reset account option, go through the delegation of control wizard
for your OU and select your OU Admins group (or whatever you are delegating
to), then in the next screen select "Create a custom task to delegate".

In the next screen, choose the radio button for "Only the following objects
in the folder", the put a check mark next to User objects, then click next.

In the Permissions screen, put checks next to "change password", "reset
password", and the "read and write account restrictions" permissions. Then
click next to finish.

For the other question(s), heres a KB or two:

294952 How To Delegate the Unlock Account Right
http://support.microsoft.com/?id=294952

229873 Delegate Control Wizard Cannot Be Used to Remove Groups or Users
http://support.microsoft.com/?id=229873