How to Delegate control in Active Directory Users and Computers | AD Delegation (2023)


Hi Guys,
Welcome to my Youtube Channel "IT Parivar"
I have tried to explain in this video about Active Directory AD User Delegation step by step so please watch complete video for more clarification about domain user delegation.

Follow on Instagram:

for more Videos click on below link:

Please don't forget to share, like & Subcsribe "IT Parivar"

Thanks for Watching!!!


Hello guys, welcome back to my channel.

So today we will learn in this video about active directory users or ou, delegation.

So let's start.

Now just I want to explain something about user or ou, delegation suppose if you are going to create any user.

And if you want to assign that user to a a specific permission like he can create user or reset password or join client machines in domain, or user can delete any uh user or objects of active directory.

So for these all things we will delegate active directory users means, you can say in a single word to provide a specific, or you can say single line to provide a specific user rights.

We will delegate active directory users.

So let's start now.

But before go ahead, just I want to request you, please, if you not subscribe yet to my channel, please subscribe my channel.

So that if I'll upload any other new videos, then you can view and watch so let's start now.

So this is my domain name that is test dot line.

And suppose you have created one or you that is test user for you.

I have already created it.

So I am going to create here a new user that is.

I am going to keep here username like test, delegation test d and I'll, keep the same in user.

Login name, also, in your case you can keep it as per your requirement.

One minute.

So I have created this user that is test d.

So, uh, we can delegate user or in a two either.

We can delegate the particular user, or you can say specific user, or we can delegate group.

So here I am going to create one group like help desk.

This is just, for example, I have created here, and I am going to add this test user in the help desk group.

So that I can show you by delegating with the username or with the name of group.

So you can just click here to a group type here help.

So it is help desk.

Okay, successfully added.

You can see here also help desk user members test d.

So trustee is a member of help desk group.

Now you can see the same from here also help desk.

If any user will be created in active directory, then it it will be the default member of domain users.

So now let's start to delegate next.

You can see here select user and groups means either you can delegate through the username or the groups.

So here I am going to delegate the user that is test d.

You can click on check name or for testing.

You can also delegate from the user group name.

So you, if you want, you can also check by typing health so help desk as I have created help desk as a user group.

So I'm going to remove, but just will check by username.

But if you have a three or four users or many users, then it will be better to delegate from the name of groups and click next.

You can see here.

There are two options, delegate the following common tasks or create custom task to delegate.

So if you if you will go with this option create custom task, then you have to create by selecting this like connection objects, dns zone, scope and here's.

The many more options.

So as per requirement, you can delegate from here, custom task to delegate, or you can delegate from the delegate following common tasks option.

So there are many more options here like create delete and manage user accounts, reset user password.

And first password to change next logon, read all user information, modify the membership of group join computer to the domain, manage group policy links.

So for testing for now, I am going to select this one like reset user, password and force password change at nest logon and rest will leave at leave it as default click next.

So as we are selecting here, only reset user and password and first password change at nest log on so we'll, we have to check this also if user is able to reset and force password change next at next log on option or not and we'll also check if user is able to create and delete users or manage or join computers or not so just click on next click finish now, what we'll do one more thing I want to explain here, uh, if he will delegate the user.

And if and if that user will try to log in on domain controller, then you have to add that user that delegated user or any user that is trying to log in on domain controller.

And if it is required or it is your company policy.

So you have to add that user in user and assignment group policy and allow for logon locally.

So first we'll, check without adding that user in group policy and we'll check what error we are getting here.

So we'll select other user.

We have created user test space, d, password.

And you can see the sign in method you are trying to use is not allowed for more info contact.

Your network administrator.


So what we'll do we will log in here, it's on domain and open group policy management.

So as user is trying to login on domain means dc, domain controller.

And as we have also delegated the user for domain, purpose means for user, reset or any other options.

So we have to modify the default domain control policy.

Because the default domain controller policy is linked with default domain controllers.

So we'll, edit go to policies, windows, setting, security, setting and local policies user, right assignment so add user or group you can browse.

So here you can add the particular user or group.

We can also add here group that is helpdesk group and testd is a member of helpdesk group member, click, ok.

You can see a test help desk test d user.

Added here, apply okay.

Close just check default domain.

Control policies should be linked.


Default domain controller policy is not linked to link, an existing domain controller and click.

Ok, yes.

Now, it's.


Now, close.

It run open cmd, gp, update space, less force computer policy.

Update has completed successfully and user policy.

Also completed successfully.

Now we'll sign out go to other user option test.

D, yes.

So now you can see user is successfully logged in now.

And as we have delegated this user.

So now we'll check, yes, you can see it is prompting here for username and password, because this user has limited access as this is delicated user.

So the username is testd.

Yes, this is just for confirmation.


So server manager.


Opens now now we'll go to active directory users and computers and we'll check by resetting user id, password and force to change password at next logon.

So you can see here one more thing you can see there is no any new option means this user has no access to create new user ou or any group because we have delegated this user for only user id, password, reset and change password at nest log on so let's, see by resetting user id.

So I have created here few users like t3, t2 and test d.

So as we have delegated this and testd user and logged in with this also so now we'll check by the setting t2 user password, reset you can see here.

The option is user must change password at next log on so we'll, select and check if it is okay, or not yes.

So you can see the password for t2 has been changed.


So that means our delegation for user, reset and uh, forced to change password at next logon is working fine so guys in this way you can delegate the users.

We can also test by deleting.

This user will try to delete and check.

If if this test space d user is able to delete, or you can say this delegated user will be able to delete t2 users or not you can see you do not have sufficient privilege to delete t2 or this object.



How to Delegate control in Active Directory Users and Computers | AD Delegation? ›

To delegate Active Directory permissions, open the Active Directory Users and Computers console and launch the AD Delegation wizard by right-clicking an organizational unit (OU) or container and selecting 'Delegate Control…'

Can delegation be used in Active Directory? ›

To delegate control in Active Directory, you can use the Delegation of Control Wizard in the Microsoft Management Console (MMC) Active Directory Users and Computers (ADUC) snap-in.

How do I add a delegate control to join a computer to a domain? ›

Right-click the container under which you want the computers to be added and click on Delegate Control. -To add a user or group click Add. Once you are done click Next. -Tasks to Delegate – Click Create a custom task to delegate.

How do I get delegated permissions in Active Directory? ›

Permissions can be delegated with Active Directory Users and Computers (ADUC) management console. The delegation of control wizard can be launched by right clicking on an OU and selected delegate control from the top of the list.

How do you delegate and control? ›

The Control Freak's Guide to Delegating
  1. Put Your Excuses to Rest. If you're hesitant to delegate because you don't think anyone else can do the task “right,” you haven't done your job as a boss. ...
  2. Pick the Right Person for the Job. ...
  3. Show Them the Big Picture. ...
  4. Provide Just Enough Guidance. ...
  5. Follow Up With Feedback.

Top Articles
Latest Posts
Article information

Author: Dr. Pierre Goyette

Last Updated: 03/08/2023

Views: 5245

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Dr. Pierre Goyette

Birthday: 1998-01-29

Address: Apt. 611 3357 Yong Plain, West Audra, IL 70053

Phone: +5819954278378

Job: Construction Director

Hobby: Embroidery, Creative writing, Shopping, Driving, Stand-up comedy, Coffee roasting, Scrapbooking

Introduction: My name is Dr. Pierre Goyette, I am a enchanting, powerful, jolly, rich, graceful, colorful, zany person who loves writing and wants to share my knowledge and understanding with you.