I want to be able to allow group of users to be able to reset passwords and create accounts in an ou. I delegated control of the ou to the group, but if I log in to the domain controller and try to open active directory users and computers, I am asked for an administrator password. I have a mix of two Server 2003 domain controllers, and one Server 2008 domain controller. Is there a way to give a group access to active directory users and computers without being an administrator?

Delegation of the reset of passwords to a group should be enough. Please go to the properties of your domain and go to Security. Once done, check that your group is allowed to: Read domain password & lockout policies Read Other domain parameters Also, go to the OU property and check that your group has the right to read its content. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

Delegation of the reset of passwords to a group should be enough. Please go to the properties of your domain and go to Security. Once done, check that your group is allowed to: Read domain password & lockout policies Read Other domain parameters Also, go to the OU property and check that your group has the right to read its content. This mentioned above method from Mr. X, (Salutation sir!) is the best solution for your current setup. Once you actually move to a Server 2008 Domain Functional level (only server 2008 DCs) you can actually delegate a security group or user permissions to perform specific functions as easy as checklisting NTFS permissions for a user or group. I haven't tested Delegating OU's with Server 2008 and Server 2003 in the Server 2003 Functionality level but I'm pretty sure delegation cannot be accomplished with the delegation wizard until you upgrade. You'll have to use the OUs for now. In the future! When you upgrade your domain Functionality Level... It's called OU Delegation, click this link to the TechNet Library below for more information. TechNet Library: Server 2008 and Server 2008 R2 - Delegate Control of an Organizational Unit Once you select your user or group it looks like this. For now however, creating those security groups might be your best bet so that you don't confuse the Server 2003 DCs.Steve Kline Microsoft Certified IT Professional: Server Administrator Microsoft Certified Product Specialist Microsoft Certified Network Product Specialist Red Hat Certified System Administrator This posting is "as is" without warranties and confers no rights.

Great !! explaination by steve in addition to other please have a look here http://www.thenetworktechnician.com/2010/08/how-to-delegate-password-reset-active-directory-server-2008/ http://www.tech-faq.com/how-to-delegate-administrator-privileges-in-active-directory.html http://www.virmansec.com/blogs/skhairuddin

Salutation Steve! You have made a great explanations and you are doing a great job on Microsoft Technet Forums. I encourage you to continue like that. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration