Server 2016 AD LDS roles

%3CLINGO-SUB%20id%3D%22lingo-sub-2929997%22%20slang%3D%22en-US%22%3EServer%202016%20AD%20LDS%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2929997%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20been%20many%20years%20since%20I%20sat%20my%20MS%20exams%20and%20many%20changes%20have%20happened%20since.%26nbsp%3B%20Wondering%20if%20AD%20LDS%20on%20Server%202016%20has%20%22roles%22%20that%20allows%20you%20to%20grant%20certain%20administrative%20privilege's%20to%20people.%26nbsp%3B%20For%20example%20I%20have%20a%20need%20to%20grant%20a%20group%20access%20to%20reset%20passwords%20but%20nothing%20else.%26nbsp%3B%20Is%20this%20possible%20via%20some%20simple%20wizard%20method%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20not%20is%20there%20a%20way%20to%20achieve%20this%20through%20configuration%20in%20some%20way%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2929997%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2932302%22%20slang%3D%22en-US%22%3ERe%3A%20Server%202016%20AD%20LDS%20roles%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2932302%22%20slang%3D%22en-US%22%3E%3CP%3E-%20Start%20%3CSTRONG%3EActive%20Directory%20Users%20and%20Computers%3C%2FSTRONG%3E%3CBR%20%2F%3E-%20In%20the%20left%20pane%20of%20ADUC%2C%20expand%20domain%2C%20right-click%20the%20Users%20container%20(or%20the%20OU%20for%20which%20you%20want%20to%20delegate%20permissions)%20and%20select%20%3CSTRONG%3EDelegate%20Control%3C%2FSTRONG%3E%20from%20the%20menu%3CBR%20%2F%3E%3D%20In%20the%20Select%20Users%2C%20Computers%2C%20or%20Groups%20dialog%2C%20type%20the%20name%20of%20the%20AD%20group%20you%20want%20to%20give%20permission%20to%20reset%20user%20account%20passwords%20and%20click%20%3CSTRONG%3EOK%3C%2FSTRONG%3E%3CBR%20%2F%3E-%20Click%20%3CSTRONG%3ENext%3C%2FSTRONG%3E%3CBR%20%2F%3E%3D%20On%20the%20%3CSTRONG%3ETasks%20to%20Delegate%3C%2FSTRONG%3E%20screen%2C%20check%20%3CSTRONG%3EReset%20user%20passwords%20and%20force%20password%20change%20at%20next%20logon%3C%2FSTRONG%3E%20and%20click%20%3CSTRONG%3ENext%5CFinish%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22DavePatrick_0-1636134437439.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F324612i126E1C179CDBB6D3%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22DavePatrick_0-1636134437439.png%22%20alt%3D%22DavePatrick_0-1636134437439.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

It's been many years since I sat my MS exams and many changes have happened since.  Wondering if AD LDS on Server 2016 has "roles" that allows you to grant certain administrative privilege's to people.  For example I have a need to grant a group access to reset passwords but nothing else.  Is this possible via some simple wizard method etc.

 

If not is there a way to achieve this through configuration in some way?

2 Replies

- Start Active Directory Users and Computers
- In the left pane of ADUC, expand domain, right-click the Users container (or the OU for which you want to delegate permissions) and select Delegate Control from the menu
= In the Select Users, Computers, or Groups dialog, type the name of the AD group you want to give permission to reset user account passwords and click OK
- Click Next
= On the Tasks to Delegate screen, check Reset user passwords and force password change at next logon and click Next\Finish

 

DavePatrick_0-1636134437439.png

 

 

 

Just checking if there's any progress or updates?

--please don't forget to upvote and mark if the reply is helpful--