With Active Directory Domain Services (AD DS) you can use delegate administrative tasks to specific OU users or groups. For example, if you want that one group in your OU can delegate control to create/delete/manage accounts, while another group can delete control to create/delete/manage groups, it is quite possible with Delegate Control.

The best practice to apply Delegate Control is for the security group and not individual users. Because you can create a security group and allow delegate control to it with common task. Then the users in this group will have the applied delegate control. If you want another users that should have these controls, you can add them to the security group.

If you’ve already created your security group, here is how you can use apply Delegate Control on it.

How To Use Delegate Control In Active Directory

1. Open Active Directory Users and Computers by running dsa.msc command.

Active Directory Users and Computers

2. In Active Directory Users and Computers window, expand your domain and right click on either Users or the OU where you want to delegate permissions and select Delegate Control option.

How To Use Delegate Control In Active Directory

3. In the Delegation of Control Wizard window, click Next and then you’ll be asked to add the users or group you want to delegate control. Click on Add button and locate the required users/groups.

How To Use Delegate Control In Active Directory

4. As you can see in below screenshot, we’ve added the security group to delegate control so we’ll now hit Next.

How To Use Delegate Control In Active Directory

5. Then we need to select some of the common tasks to delegate. If the task you want isn’t listed, use the Create a custom task to delegate option.

How To Use Delegate Control In Active Directory

6. Finally, click on Finish button and this will complete Delegation of Control Wizard. Your selected delegated task should be now applied to your selected groups/users.

How To Use Delegate Control In Active Directory

You can now exit the Active Directory Users and Computers window, if you like.

That’s it!

Related: How To Remove Delegate Control In Active Directory.

Leave a Reply

Your email address will not be published. Required fields are marked *