Unable to Delegate Full Control to User account that used to be a Domain Admin

Question

We had a group of people within our IT Dept that had administrative accounts set up as Domain Admins, that we will call ITGroupC. Obviously, it is not best practice to have several Domain Admins, and we have worked at giving them targeted access to resources and removed them from the Domain Admins Group. That part is fine. And since then there have been new members added to ITGroupC. Both old and new members of ITGroupC are able to carry out their roles ok.

Members of ITGroupC will need to have their accounts unlocked, have the expiration date of the account changed, and similar, by people in the Help Desk. Members of the HelpDesk are not Domain Admins.

Delegation of the management of the accounts in ITGroupC has been set up in AD for the Help Desk to manage the ITGroupC accounts, where the Help Desk Group has been granted Full Control over the OU in which the ITGroupC accounts have been placed.

We have found that members of the Help Desk can unlock User accounts in ITGroupC only if those members have been recent additions to ITGroupC. But if a member of ITGroupC was previously a Domain Admin, then members of the Help Desk have the unlock account option greyed out. As well as other options for account management greyed out. One of the few existing Domain Admin can fully manage all members of ITGroupC.

For the members of ITGroupC that used to be a Domain Admins, in Attribute Editor, for adminCount, the value is set to 1. We have changed this to <not set>, but this has not made a difference, and members of the Help Desk still cannot fully manage accounts in ITGroupC that used to be Domain Admins.

Can anyone please tell use how we can make it so that members of the Help Desk can have Full Control by Delegation over User accounts that used to be, but are no longer, Domain Admins?

Answer 1

Hello

Thank you for posting in Q&A forum.

1.First, please check AD replication between all DCs, please run commands below on PDC.

repadmin /showrepl >C:\rep1.txt

repadmin /replsum >C:\rep2.txt

repadmin /showrepl * /csv >c:\repsum.csv

2.I assume OU with members in ITGroupC is OU1. OU1 has members Mem1 (old), Mem2 (old), Mem3 (new), Mem4 (new).

Help Desk have full control on old members Mem1(old), Mem2 and do not have full control on new members Mem3(new), Mem4 (new).

2-1. Please check if the Mem1 (old) and Mem3 (new) have the same group membership.

2-2. Please try to check if the Help Desk have different permissions on Mem1 (old) and Mem3(new).

Right click Mem1 (old) and select Properties and click Security tab, Advanced button, click Effective Access tab, click "Select a user", type one Help Desk account and click "View effective access".

Right click Mem3 (new) and select Properties and click Security tab, Advanced button, click Effective Access tab, click "Select a user", type the same one Help Desk account and click "View effective access".

Compare the permissions above.

3.You can try to create a new user (testuser) and add it to Domain Admin, and then remove from Domain Admins group, then add this testuser to the same OU as ITGroupC members, then check if Help Desk have full permissions on this testuser.

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

For my current situation, the answer is to go to each User account that used to be a Domain Admin, and set the security in Properties > Security, so that the Help Desk Group have Full Control.