Hi,
I followed the steps in another thread (https://social.technet.microsoft.com/Forums/en-US/f1846ea7-31fc-4d38-8950-ef7d86f3cefb/need-to-create-help-desk-users-to-unlock-andor-change-passwords?forum=winserverDS) on delegating rights to a "help desk group" to allow this new group to do limited things in AD (create accounts, reset passwords etc). I applied this to the OU where most of our users objects belong.
Having done that, how do I give the help desk person access to the appropriate programs (users and computers for instance) so they can make these changes? Do they log in as themselves to a domain controller to fire up "users and computers"? Or can they still do too much on a DC? (I only want them to be able to a) create users b) reset pwd c) add a computer to the domain).
Or can you somehow install some sort of snapin on their local PC to allow them access to users and computers?
I added them as a remote user to the domain controller but they still could not log in.
Thanks,
Albert