Another great feature of Server 2012, is how the Delegation of Control Wizard simplifies adding rights for common tasks to groups or administrators.
Suppose we have just started building our network, and we’d like to give Hr1 the ability to reset passwords for users (Delegating control). Since we don’t want Hr1 modifying other parts of our domain, we want to restrict the access rights to only that task, for the time being. The simplest way is to use the Delegation of Control Wizard, so we’ll start by going to our Administrative Tools and opening the Active Directory Users and Computers snap-in. Once we expand our domain, we’ll go down to the OU that holds our Hr1 user, right-click on it, and choose Delegate Control.
The welcome screen of the Delegation Wizard pops up, and we click Next.
We need to add our Hr1 user, so we click Add.
We type in the name of our group, Hr, and then click the Check Names button. Once it finds them in AD, the name will display fully, and we can click the OK button.
Once it shows up in our list of selected users and groups, we will proceed by clicking the Next button again.
Now we get to the real power of the Delegation of Control Wizard. The wizard lists out the most commonly used tasks to delegate control for, but also allows you to add some of the more obscure rights as well; this is done through the Create a custom task to delegate option. Since we just want to give our Hr1 user the right to reset passwords, we’ll choose that one from the list and click Next.
Next we’ll get a summary of all the controls we are about to delegate. It’s always a good idea to browse over this, just to make sure you didn’t accidentally check one of the wrong boxes. Once we’re certain that everything looks good, we click the Finish button.
User Hr1, without having full administrative rights, should now able to change user passwords in its own OU on the server. However, at this time, if we were to login to the server as user Hr1, the system will not allow you to log in. For security reasons, the group policy only allows administrator and specific administrative groups to log on locally. We will need to give user rights for Hr1 to log on locally.
From the Server Manager, under Tools, select Group Policy Management.
Break down the Forest as per the figure to Default Domain Controller and right click then Edit…
From the Group Policy Management Editor, User Rights Assignment, double click Allow log on Locally:
Select Add User or Groups…, in the new window select Browse…, type Hr1 in the object box and select Check Names, finally select OK, OK, OK
We need to update the policy by running the command gpupdate /force from the command prompt.
To Become Microsoft Certified please Check out this Link;
Also published on Medium.