How to allow a User to create other Active Directory Users

active-directorywindows-server-2008

My question is rather simple: How can I assign the right to a Windows Server user to create/manage Active Directory Users?

I am using Windows Server 2008 R2.

Thanks for your help!

PS: I moved this question from stackoverflow to serverfault: https://stackoverflow.com/posts/7429832

Best Answer

I assume you do not want to make them a Domain Admin. So the right way to do this is with the Delegation Wizard. Go to the OU where you want to delegate control (if you have no OUs or want to grant this right for the entire directory, go to the root of the tree).

When you get to the Tasks to Delegate pick at least Create, Delete and manage user accounts. Look at the list for other tasks. Click through to complete the wizard.

Related Solutions

Users vs. Active Directory Users

The difference is the source of their authentication.

AD users are authenticated by a domain controller
Local users are authenticated locally

As far as which to use, it depends. See Do I really need MS Active Directory?

Windows – Allow users to install applications on Vista workstations controlled by Active Directory

You only need to make them Local Administrators (on their workstations) not Domain Administrators

For a script, see How Can I Add a Domain User to a Local Administrators Group?

strComputer = "PCName"
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
Set objUser = GetObject("WinNT://MyDomain/MyUser")
objGroup.Add(objUser.ADsPath)

Best Answer

Related Solutions

Users vs. Active Directory Users

Windows – Allow users to install applications on Vista workstations controlled by Active Directory

Related Topic