I needed to delegate permissions to helpdesk (besides making them domain admins) to create and modify users, and modify group membership. This is slightly different from some of the built in permission groups, since we didn’t want helpdesk to delete users. Permissions are delegated at the OU level, and remember that permissions are pushed down and inherited.
This is what I used to delegate these permissions:
- Right click the OU, and select “Delegate Control” and click “Next”
- Add your Security Group (I called mine Delegated Helpdesk)
- Click “Modify the membership of a group”, then “Next” and “Finish”
- First section done!
- Go through steps 1 and 2 again
- Select the button “Create a custom task to delegate” and click “Next”
- Select the button “Only the following objects in the folder:” and select “User objects”
- Click “Create selected objects in this folder” and click “Next”
- Click the following permissions:
- Read All Properties
- Write All Properties
- Read and write general information
- Read and write logon information
- Read and write phone and mail options
- Read and write web information
- Change password
- Reset password
- Click “Next” and then “Finish”
- You are now finished. Users in the “Delegated Helpdesk” group should be able to create and modify users, and group membership
If you ever need to revert your changes, click on Properties–>Security (requires advanced view) for the OU, and remove the permissions.
DANIEL KUCHENSKI 