To create new user, reset password, add computer or server in domain etc delegate control is used and its rights are given to help desk to perform this task. Domain administrator is requiring performing all operation and task which is related to domain and active directory. There is Domain admin group who manage this entire task 24*7*365.
Steps to Delegate control in windows use
These steps will create group of users to whom rights are given to manage user account. Delegate access is given to group rather than an individual. Steps involved in this process are
- First of all open active directory users and computers. After these right click on an organizational unit (Sales) on which delegate control is need to be done. Click on “New” and click on Group to create a new group.
- New object console will get open, on that enter group name, and then select global and security options in the given option respectively. After that click on ok.
- Now right click on group which is created and then click on properties so that various group setting can be modified.
- After group properties console get open, under member section click on Add so that new user can be added. Verify the added user.
- Right click on the organizational unit (sales) posts that click on Delegate control so that to delegate the customized permission to the user or the group of user. The delegate access is for operational unit (sale) not for other.
- Window will get open for “Delegation of Control Wizard” where we can grant permission to manage users, computers, groups, OU. Click on Next to continue.
- In user and group console, click on Add to add the group and then click on next to continue.
- After this Task to delegate console will get open in that select “Delegate the following the following common tasks” or you can select the “Create a Customer task to delegate “to give customer permission to the user other than the above permission.
- For verification of previous selected option on console, “Completing the Delegation of Control Wizard” console will get open. After verification click on Finish to close the console.
Once group is created its time to setup the Active directory domain service role in windows 8.1 client. Steps involve in this setup are
- On windows 8.1 operating system we can see icon of Active Directory User and computers in start menu under Administrative tools. Click on the icon of Active directory user and computers so that console can be open.
- With the help of this console user can only perform the operation that we have delegated to the group. To know that permission are delegated successfully or not for that we will create new user in organization unit (Sales). Right click on the organization unit (Sales) and then click on New after that click on user to create new user.
- New Object –User console will get open on that enter details like First name, Last Name, User logon name of the new user and then Click on Next.
- Enter the password and confirm password which we are creating and select the option as per requirement. Click on Next and verify all setting in next console and click on Finish.
After setup the new user or group has all rights to reset user account password, deleting user account and other similar operations.
Troubleshooting steps for the Delegate control
- If face any problem while resetting password or any other task then create a security group and add three user. These three users should be so selected that they have previously deemed to be trusted to reset user password
- Follow the standard Microsoft practice for password reset delegation on specific Organizational Unit (OU) in Active Directory by right – clicking the organizational unit and by clicking delegation control launch the delegation of control Wizard.
- When wizard get open add the group and select the reset user passwords and force password change at next logon common task.
- Download and install remote Server Administration Tools on the client workstation.
- After installing add the active directory role administration feature on client workstation.
- Perform a test to make sure that user can actually reset the password or perform other task by logging in on the delegate admin’s workstation.
These are troubleshooting steps which are followed when any problem occurs like resetting the password or checking the account.
Delegate control access would enable set of user to perform the tasks that are normally done by Domain Admin. On which rights are very delegate that will be restricted on organizational unit.