It's 2024 so you are probably wondering why I would write an article on delegating control in Active Directory. Well, companies are slow to move to Azure and even when they do start to move they will have legacy servers that require AD for a number of years.

I was asked to look into a request from the HR department to allow them to edit the following values in AD for users.


To start off, save yourself some hassle down the road, do not delegate permissions to one user, create a group instead. Even if you are told there will only ever be one user needing access, circumstances can change. If the user leaves then you'll be left with a SID in the permissions of AD.

Next, if the user only needs to access information of users then find the root OU for your users and delegate control from there, no point in giving access to more than they need.

After selecting the OU, right-click on it to bring up 'Delegate Control'. Limit the access to user objects, even if there are no other object types in the OU it's still good practice.

When you get to 'Permissions' in the wizard you want to select 'Property-specific', this will give us the most granular permissions. You'll find there are a lot of permissions and scrolling through them to find the right one can take time.

But what if you can't find the permission you are looking for? Well, some are not visible unless you make changes to the c:\windows\system32\dssec.dat file. Open with Notepad, search for '[User]' then make the following changes:


Remember that when you delegate control to a group that already was given some access, the permissions are cumulative. It's not easy to determine what permissions the group may already have so in some cases it makes sense to remove the permission in the OU properties and then start again if you made a mistake.