I want to delegate user create, edit, delete and change password rights to one of the domain users. I have one domain controller and a file server in my domain. There are 3 OUs (Students, Staff, Projects), There exist groups in these OUs, grpStudents, grpStaff and grpProjects respectively. User's home folder is created on a win2k3 machine and it is specified as \\fileserver\sharename\%username% in profile tab. Here the sharename is Students for example. Share Permissions are given to the group grpStudents (Change) and to the domain administrator (Change). NTFS permissions are given to the group grpStudents (Modify) and to the domain administrator (Full Control) If I am logged on as domain administrator, and creating user, his home folder is created and the user gets full permission. To delegate this job to someone else, I created an OU called Administrators and added a user in it. Then I granted permissions of Students folder to this user at fileserver (name of the file server in my domain). Share Permission: Change, NTFS Permissions: Full Control. Then I delegated the appropriate rights to this user of the OU Students. Then I logged on to the domain controller as this user. Created a user, it created the home folder but could not assign full rights to the newly created student user. Following error occurred: The \\fileserver\Students\testuser home folder was not created because you do not have create access on the server. The user account has been updated with the new home folder value but you must create the directory manually after obtaining the required access rights. I checked in Students folder at fileserver and found that the folder was created by the name testuser, but when I checked the NTFS permissions, the user was not assigned the access. If I do the same with the domain administrator account, everything works fine, no error message comes, it creates the folder, assigns the rights to the user. I've screen shots of how I did it, but don't know how to attach them here, I can mail you the same if it is required. please help.

It sounds like you have to make that person an administrator. Creating an OU called Administrators isn't enough.

well, you can say that Guapo, but I just want to assign him user creation rights in these 3 OUs, I do not want him to change Group Policy or change user management of the default Users (container). So this is what my problem is, he is not an administrator but he should be able to manage users (only users) in few OUs and I gave him all the required permissions to perform the same. (I understand that creating an OU by the name Administrators will not make anybody an administrator, if this is the case, I could have added him in the administrators or domain administrators group)

Making someone an administrator typically shows they don't know what to do so they take a shotgun approach. Rajoo, I would give everyone full control with SHARE permissions. Since you are locking things down with NTFS permissions you will still be protected. When Share and NTFS persmissions combine, the most restrictive wins. Adding Full Control to Share permissions will not lessen your security. That may fix your issue. The creation of the home folder is not an issue of permission at the OU. It is a question of security at that folder. In order to create the home folder, the account creating the user account will also need access to the parent folder of where the home folder is to be created.

Like Glen said. And I must add my $.02 on something. I think you should rethink the "Administrators" name for that OU, if you're creating your security group and using that "Administrators" OU, it's really not a good idea to have the name be "Administrators." Something more descriptive might be in order. Life's more painless for the brainless.

Thanks Glen, I'll try this when I'm back in the office and let you know. Jennifer, thanks for your suggestion, you are right, this name will only increase ambiguity. Thanks guys, let me try, I'll get back to you.

Hi Glen, It worked fine for me. Thanks buddy