Question: How to Delegate Permissions to simple Active Directory User ?
While configuring the HC ADSync Tool, generally the credentials of the local Active Directory domain\admin suffice. However some organizations in some cases may require users to have permissions only to a specific OU. The below details show the Local AD Settings for such users and the necessary procedure to delegate them control over a certain OU:
- The user with privileges on a certain OU can provide his credentials in Local AD Settings here
- The specific user has no administrator privileges and it is simple AD user
- The OU which is added in the Local AD Setting need to have delegate permissions for the user showing in above Point 2
- To delegate users actual control over a certain OU follow the procedure below, open Active Directory, expand the root OU and navigate to the OU in question. Right click the OU to delegate control over it
- Select the specific user you want to provide control over the OU
- Select the check boxes that is showing in the screenshots
That’s it! You have successfully delegated control to the simple AD User.
Note: After delegation control, when you remove a local user then it will not automatically remove from Cloud DC (in case you have enabled option Delete Object in AD Sync utility > Sync Services )
Reason: Simple Local AD User [non administrator] do not have privileges to view/get deleted object container. By default only the domain admin level user have privileges on deleted object container in the AD.
To give permission on deleted object container you have to run this command in your local DC. For changes to take effect you have to reboot the DC.
Open power shell command using run as administrator and execute below command
dsacls "CN=Deleted Objects,DC=ad10,DC=lab03,DC=com" /g ad10\hcsynctest:LCRP
*replace red line text with your actual DC record.