A. Windows NT basically had two types of users, Administrators and Users. While other groups exist such as Print Operators, Server Operators when it comes to authority of users you had all or none.

Now with the Directory Service holding much more than just passwords and profile settings its desirable for people other than Administrators to update information like address, telephone number (don’t want your highly paid Administrators managing the phone numbers!).

Its possible to allow certain users/group to manage properties of other users manually as follows:

  1. Start the Active Directory Users and Computers MMC snap-in (Start – Programs – Administrative Tools – Active Directory Users and Computers)
  2. Enable the Advanced View (View Menu – Advanced Features)
  3. Right click on the User/Group/OU/Domain and select Properties from the context menu
  4. Select the Security tab
  5. Click the Advanced button
  6. Under the Permissions tab either add a new user/group or select an existing permission entry and click ‘View/Edit..’ button
  7. Select the Object or Properties tab and set the relevant Allow/Deny option for the specific option
    Click here to view image
  8. Click OK to all dialogs