Howto: Delegate the enable/disable accounts permission in Active Directory

July 1, 2009 — Julie

To delegate the ability to enable and disable user accounts in Active Directory:

  1. Launch Active Directory Users and Computers with adminsitrative credentials
  2. Right click on the OU where you want to delegate the ability to enable and disable user accounts
  3. Select the Active Directory security group that you want to delegate the ability to and press Next
  4. Select Create Custom Task to Delegate and press Next
  5. Under Delegate Control Of select the Only the following objects in the folder radio button
  6. Select the User objects check box and press Next
  7. Under Show these permissions uncheck General and select Property-specific
  8. Select the Read userAccountControl and Write userAccountControl check boxes and press Next and Finish
 
You’ve now delegated the ability to enable and disable AD user accounts to a security group.
 
Additional References
 
Posted in Windows. Tags: , , , , , , , , , , , . Leave a Comment »

Leave a Reply

«

»