To delegate the ability to enable and disable user accounts in Active Directory:

  1. Launch Active Directory Users and Computers with administrative credentials
  2. Right click on the OU where you want to delegate the ability to enable and disable user accounts
  3. Select the Active Directory security group that you want to delegate the ability to and press Next
  4. Select Create Custom Task to Delegate and press Next
  5. Under Delegate Control Of select the Only the following objects in the folder radio button
  6. Select the User objects check box and press Next
  7. Under Show these permissions uncheck General and select Property-specific
  8. Select the Read userAccountControl and Write userAccountControl checkboxes and press Next and Finish

Howto: Delegate the Enable/Disable Accounts Permission in Active Directory image 1

Table of Contents

    You’ve now delegated the ability to enable and disable AD user accounts to a security group.

    Additional References

    http://support.microsoft.com/kb/305144
    http://briandesmond.com/blog/delegating-enable-disable-account-rights-in-active-directory/

    Founder of The Back Room Tech and managing editor. He began blogging in 2007 and quit his job in 2010 to blog full-time. He has over 15 years of industry experience in IT and holds several technical certifications. Read Aseem's Full Bio

    HowTo: Automatically Remove Files Older Than ‘X’ Days
    How to Expand VMware ESXi Datastore Capacity
    Network Card configuration Missing after P2V using VMware Converter
    Microsoft Active Directory Topology Diagrammer