Delegating access to create users in Active Directory using PowerShell and the DSACL module

Allowing non Domain Admins access to manage certain parts of Active Directory is a requirement in most organizations. Access to create, modify or delete whole objects of a certain type, or just specific attributes on these objects can be granted to a user or group for a specified Organizational Unit (OU) by modifying the Access Contol List (ACL) on the OU.

Delegating granular access on multiple OUs is not only a tedious task, but also a task with a lot of risk for human errors. The module DSACL was created to make it easier to delegate granular access in an automatable way.

In this video, Simon Wahlin shows how to delegate access to create users in Active Directory. He will delegate access for John to create users in the People OU using the command Add-DSACLCreateChild. This will allow John to ceate an account using New-ADUser.

Prerequisites include: Required Software: Active Directory Required PowerShell modules: ActiveDirectory and DSACL Required rights: Access to write ACLs (writeDacl), demo uses Domain Admin account. Required accounts: A user or group to delegate access to.