To delegate the ability to enable and disable user accounts in Active Directory:

  1. Launch Active Directory Users and Computers with administrative credentials
  2. Right click on the OU where you want to delegate the ability to enable and disable user accounts
  3. Select the Active Directory security group that you want to delegate the ability to and press Next
  4. Select Create Custom Task to Delegate and press Next
  5. Under Delegate Control Of select the Only the following objects in the folder radio button
  6. Select the User objects check box and press Next
  7. Under Show these permissions uncheck General and select Property-specific
  8. Select the Read userAccountControl and Write userAccountControl checkboxes and press Next and Finish

Howto: Delegate the Enable/Disable Accounts Permission in Active Directory image 1

Table of Contents

    You’ve now delegated the ability to enable and disable AD user accounts to a security group.

    Additional References

    http://support.microsoft.com/kb/305144
    http://briandesmond.com/blog/delegating-enable-disable-account-rights-in-active-directory/

    Leave a Reply

    Your email address will not be published. Required fields are marked *