Howto: Delegate the enable/disable accounts permission in Active Directory

To delegate the ability to enable and disable user accounts in Active Directory:

  1. Launch Active Directory Users and Computers with adminsitrative credentials
  2. Right click on the OU where you want to delegate the ability to enable and disable user accounts
  3. Select the Active Directory security group that you want to delegate the ability to and press Next
  4. Select Create Custom Task to Delegate and press Next
  5. Under Delegate Control Of select the Only the following objects in the folder radio button
  6. Select the User objects check box and press Next
  7. Under Show these permissions uncheck General and select Property-specific
  8. Select the Read userAccountControl and Write userAccountControl check boxes and press Next and Finish
 
You’ve now delegated the ability to enable and disable AD user accounts to a security group.
 
Additional References
 

Comments [2]

  1. Hi,
    I think that some things have been forgotten between task 2. and 3.?
    What to select from right click (2.) and where to add the group you want to delegate (3.)

    1. (step 2) Select “Delegate Control…” from the right click. steps 3-8 are the “Delegation of Control” wizard

Leave a Reply

Your email address will not be published. Required fields are marked *