Limited Permissions to a domain user on AD Server

Question 1:

• Log on to Windows Server as a domain administrator and open Server Manager from the icon on the desktop Taskbar or from the Start screen.
• Select Active Directory Users and Computers (ADUC) from the Tools menu.
• In the left pane of ADUC, expand your domain, right-click the Users container (or the OU for which you want to delegate permissions) and select Delegate Control from the menu.
• Click Next on the welcome screen.
• On the Users or Groups screen, click Add.
• In the Select Users, Computers, or Groups dialog, type the name of the AD group you want to give permission to reset user account passwords and click OK. In this example, I already have an AD group called HelpDesk that I’m going to use.
• On the Users or Groups screen, click Next.
• On the Tasks to Delegate screen, check Reset user passwords and force password change at next logon and click Next.

Question 2 :

Delegate rights using Active Directory Users and Computers:

1. Open the Active Directory Users and Computers

snap-in.

2. Right-click the container under which you want the computers added, and press Delegate Control.

3. Press Next.

4. Press Add.

5. After adding all the users and/or groups, press Next.

6. Select Create custom task to delegate and press Next.

7. Select Only the following objects in the folder, check Computer objects, check the Create selected objects in this folder box, and press Next.

8. Check the Create all child object box and press Next.

9. Press Finish.

Question 3

Start by creating a new GPO named Restricted Groups: GROUP NAME (ex: Restricted Groups: Local Administrators). Edit the GPO and navigate to Computer Configuration/Policies/Windows Settings/Security Settings/Restricted Groups. Under Group Name, right click and select Add Group.