Delegate permissions to one account to create, modify, delete in an OU

Delegate permissions to one account to create, modify, delete in an OU

1. Prepare

- DC12 : Terminal Server

2. Step by step : Allow HiepIT create, modify, delete in HR OU

- DC11 : Configure allow HiepIT to remote to Domain Controller and create, modify, delete in HR OU

+ Turn off Firewall and enable remote desktop

+ Double-click "Remote Desktop Users" - Members tab - Add... : HiepIT

+ Double-click "Server Operators" - Members tab - Add... : HiepIT (or add to one of groups : Account Operators, Backup Operators, Print Operators)

- Windows Settings - Security Settings - Local Polices - User Rights Assignment - Allow log on through Remote Desktop Services :

+ Tick "Define these policy settings"

+ Click "Add User or Group..." - Browse... : Administrators;HiepIT - OK

+ Start - cmd - gpupdate /force

+ Active Directory Users and Computers - Right-click HR OU - Delegate Control... :

+ Users or Groups : Add... : HiepIT - Tasks to Delegate : Choose "Delegate the following common tasks" : Tick all (or you want) - Finish

- DC12 : Remote to DC11 using HiepIT, test create account

+ Right-click IT OU - New - User - Create Test account === Access is denied = have not permission

+ Right-click HR OU - New - User - Create Test account === OK ^^