Delegate Control on Active Directory
Set up the delegated control on Active Directory¶
You can set up the delegated controls (manage user or group) under a specific OU for the service account.
Manage user¶
By following the steps below, you will grant the permission to the service account to manage user account under a specific OU. If the service account tries to manage the account of another OU which doesn’t have the delegated control, it will failed due to "insufficient access rights".
- Right click on the OU that you want the service account to manage the users. Click "Delegate Control".
- In the Delegation of Control Wizard window, add the service account and click "next".
- Select the option "Create, delete and manage user accounts", and then click "Next".
- Click "Finish" in the summary window.
Manage security group¶
By following the steps below, you will grant the permission to the service account to manage the membership of security groups under a specific OU. If the service account tries to manage the membership of security group under another OU which doesn’t have the delegated control, it will failed due to "insufficient access rights".
- Right click on the OU that you want the service account to manage the users. Click "Delegate Control".
- In the Delegation of Control Wizard window, add the service account and click "next".
- Select the option "Create, delete and manage user accounts", and then click "Next".
- Click "Finish" in the summary window.
Remove the delegate control of a user¶
This section tells how to remove the delegate control of the service account.
- Right click on the OU, and click "Properties".
- Select the "Security" card in the pop up window. Then select the user you want to remove from the delegate control, click "Remove".
- Click "Apply" at the end.
