How do I delegate control in Active Directory?

Assigning particular administrative responsibilities to other users or groups in Active Directory is what is referred to as Active Directory delegation. It enables the users or groups of users to handle specific actions in the Active Directory domain without granting them complete administrative privileges. For example, a manager can be granted the ability to reset the passwords for their direct reports. This distributes administrative tasks and ensures appropriate individuals perform them, simplifying AD management.

How do I check delegation rights in Active Directory?

Follow the below steps to view the delegation rights: In the Users and Computers console, go to the View tab and make sure Advanced Features is ticked. Then right-click an OU and select Properties . Navigate to the Security tab to view the delegated permissions. You can easily check the delegation reports in ADManager Plus by following the below steps: Click the Delegation tab. Click the Technicians Report link located under Help Desk Reports . Select the desired technician from the list or use the Search Technician option to locate the technician. Alternatively, filters can be used to specify the criteria used to generate the report. Click the filter sign located on the left of Add/Remove Columns , and specify the desired criteria.

What are the Active Directory delegation best practices?

AD delegation best practices are as follows: Successful delegation requires proper design and implementation of OUs with correct object placement. Avoid built-in groups as they have domain-wide privileges, and instead make new groups specifically for delegation. Check for suspicious activity in your environment that could indicate misuse of delegated rights, such as elevating privileges, accessing sensitive data, or altering security settings. Establish a hierarchy using nested OUs that delegates control over data types to varying levels of administrators, with those higher up having more privileges over those in lower sub-OUs. Regularly conduct audits to determine who has been granted administrative privileges at varying levels in AD. Consider switching to a PAM strategy with just-in-time access to avoid abuse of standing access rights, improve control, and reduce your attack surface.

Free Edition
Quick Links
AD Management
AD Reports
Microsoft 365 Management & Reporting
Exchange Management and Reporting
Google Workspace User Provisioning & Reporting
- Google Workspace Provisioning
- Google Workspace reports
Mobile Active Directory Management
- Android App
- iPhone App
Resources
- All Resources
- Help Documents
- Videos
- Brochures
- Guides
- Case Studies
- Awards
- Whitepapers
- Newsletters
Industry Solutions
Success Stories

Popular products

Active Directory delegation: Password Reset and Account Unlock

Windows Active Directory delegation is crucial for any organization's IT infrastructure because it provides a way for you to securely delegate management operations to technicians while ensuring they have the least privileges required to carry out their tasks. ADManager Plus' delegation feature is granular yet extensive, allowing you to delegate permissions for specific domains or even specific OUs. You can create customized delegation roles based on the tasks for which you want to delegate permissions. So, if you are wondering how to delegate password reset and account unlock permissions in AD securely, look no further than ADManager Plus.

Delegating password reset permissions

On average, one third of all IT help desk calls are attributed to password resets. When these calls happen over and over, productivity is affected for both employees and IT administrators.

A solution that would benefit both parties would be to delegate password reset in Active Directory to a help desk technician. ADManager Plus lets you:

Delegate permissions for password reset tasks across the required domains in a forest to the same technician.
Keep track of the password resets being performed by technicians with information like status, timestamps, and more.
Use custom roles to delegate role-based access to technicians so they can perform only the required tasks. The technicians will not be able to access any of the other AD management features.

Steps to delegate password reset permissions to help desk technicians with ADManager Plus
- Log on to ADManager Plus.
- Navigate to Delegation ? Help Desk Technician ? Add New Technician.
- Select the Domain and the OUs for which you wish to delegate password reset permissions.
- Select the users or groups for which you wish to delegate the permission for password reset by clicking the Browse button.
- Choose Reset Password in the Select Help Desk Roles section.
- You can choose the OUs that the technician can perform password resets for in the Select OUs section.
- Select the Impersonate as Admin option if you wish to assign administrator permissions to the technicians being created.
- Click Save.

Delegating unlock user account permissions

Most organizations have an account lockout policy in place to prevent brute force attacks. Account lockout policies render an account inaccessible for a specific period after a specified number of wrong password attempts happen. When this happens, users cannot access their accounts until the IT administrator unlocks it.

As users tend to forget or mistype their passwords often, account lockouts are a common occurrence in many organizations. This means account lockouts make up a major chunk of IT help desk calls. ADManager Plus can help you delegate permissions for unlocking AD user accounts by:

Enabling technicians to perform different sets of tasks in different OUs. For example, a technician can reset passwords in OU1, unlock user accounts in OU2, create and modify groups in OU3, etc.
Delegating permissions to technicians for unlocking user accounts across multiple domains.
Allowing you to create your own custom roles for delegating password reset permissions suited to your organization. For example, you can create a role that will allow the technician to unlock user accounts, enable/disable computer accounts, and enable Exchange mailboxes that are disabled.

Steps to delegate unlock user account permissions to help desk technicians with ADManager Plus
- Log on to ADManager Plus.
- Navigate to Delegation ? Help Desk Technician ? Add New Technician.
- Select the domain and the OUs for which you wish to delegate password reset permissions.
- Select the users or groups you wish to delegate the permission for password reset by clicking the Browse button.
- Choose Unlock Users in the Select Help Desk Roles section.
- You can choose the OUs for which the technician can perform password resets in the Select OUs section.
- Select the Impersonate as Admin option if you wish to assign administrator permissions to the technician being created.
- Click Save.

Key highlights of ADManager Plus' delegation feature

Secure and non-invasive delegation model: The rights or privileges assigned to technicians are purely at the product level, and their actual privileges in Active Directory remain untouched.
Customizable roles: A variety of roles can be created to give technicians the ability to perform different tasks (for example: reset passwords, move users, generate group reports, etc.).
Role-based/profile-based delegation of tasks to help desk technicians: Only the modules or features assigned to technicians will be visible to them.
OU-specific administration: Enable technicians to perform different sets of tasks in different OUs.
Cross-domain/multi-domain delegation: Allow technicians to perform the designated tasks in multiple domains.
Audit reports: Get a trail of all the actions that a help desk technician has performed and all the actions that have been performed on a technician or role.

If you would like to learn more about delegating permissions with ADManager Plus, you can find help here

Delegate AD password reset and account unlock activities to non-admin users securely with ADManager Plus.

Get your free trial

Thanks!

Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here

Thanks!

We will send the download link to the registered email ID shortly.

FAQs

1. How do I delegate control in Active Directory?

Assigning particular administrative responsibilities to other users or groups in Active Directory is what is referred to as Active Directory delegation. It enables the users or groups of users to handle specific actions in the Active Directory domain without granting them complete administrative privileges.

For example, a manager can be granted the ability to reset the passwords for their direct reports. This distributes administrative tasks and ensures appropriate individuals perform them, simplifying AD management.
2. How do I check delegation rights in Active Directory?
Follow the below steps to view the delegation rights:
1. In the Users and Computers console, go to the View tab and make sure Advanced Features is ticked.
2. Then right-click an OU and select Properties.
3. Navigate to the Security tab to view the delegated permissions.
You can easily check the delegation reports in ADManager Plus by following the below steps:
1. Click the Delegation tab.
2. Click the Technicians Report link located under Help Desk Reports.
3. Select the desired technician from the list or use the Search Technician option to locate the technician.
4. Alternatively, filters can be used to specify the criteria used to generate the report. Click the filter sign located on the left of Add/Remove Columns, and specify the desired criteria.
3. What are the Active Directory delegation best practices?
AD delegation best practices are as follows:
1. Successful delegation requires proper design and implementation of OUs with correct object placement.
2. Avoid built-in groups as they have domain-wide privileges, and instead make new groups specifically for delegation.
3. Check for suspicious activity in your environment that could indicate misuse of delegated rights, such as elevating privileges, accessing sensitive data, or altering security settings.
4. Establish a hierarchy using nested OUs that delegates control over data types to varying levels of administrators, with those higher up having more privileges over those in lower sub-OUs.
5. Regularly conduct audits to determine who has been granted administrative privileges at varying levels in AD.
6. Consider switching to a PAM strategy with just-in-time access to avoid abuse of standing access rights, improve control, and reduce your attack surface.

Featured links

Other features

Active Directory Management
Manage AD, Office 365, Exchange, Skype for Business, and Google Workspace accounts of users, single or bulk, using CSV files or smart templates.
Active Directory Password Management
Reset password and set password propertied from a single web-based console, without compromising on the security of your AD! Delegate your password-reset powers to the helpdesk technicians too!
Active Directory Computer Reports
Granular reporting on your AD Computer objects to the minutest detail. Monitor...and modify computer attributes right within the report. Reports on Inactive Computers and operating systems.
Microsoft Exchange Management
Create and manage Exchange mailboxes and configure mailbox rights using ADManager Plus's Exchange Management system. Now with support for Microsoft Exchange 2010!!
Active Directory Cleanup
Get rid of the inactive, obsolete and unwanted objects in your Active Directory to make it more secure and efficient...assisted by ADManager Plus's AD Cleanup capabilities.
Active Directory Automation
A complete automation of AD critical tasks such as user provisioning, inactive-user clean up etc. Also lets you sequence and execute follow-up tasks and blends with workflow to offer a brilliant controlled-automation.