# Active Directory (On-Premises) Access and Rights Delegation

## Overview

This guide explains how to configure access from the Hideez Enterprise Server (HES) to an on-premises Active Directory (AD), retrieve the user list, and perform password management operations. It also describes how to delegate rights for changing user passwords to non-administrative accounts. These configurations are essential for enabling features such as password change, account unlocking, and secure authentication workflows within HES.

### **1. Connecting to AD to Retrieve the User List**

* **Any AD user** can retrieve the list of other users.
* If password changes are not required, connect to AD using an account with minimal privileges.

### **2. Changing Passwords, Locking, and Unlocking AD Users**

* These actions can **only** be performed by:
  * AD Administrators.
  * Members of the **Account Operators** or **Domain Admins** group.
  * Users with delegated rights to change passwords. ()

{% hint style="info" %}
To connect to AD from the HES side, use an account with the appropriate permissions.
{% endhint %}

### **3. Delegating Rights to Change Passwords**

To delegate rights to another user or group, follow these steps (administrator rights are required):

1. **Launch the Active Directory Users and Computers (ADUC) Console**:

   * Right-click on the OU containing the users.
   * Select **Delegate Control** from the menu.

<figure><img src="/files/0c2bbQi4c1Xg2Kvazul0" alt="" width="563"><figcaption></figcaption></figure>

2. **Select the User or Group for Delegation**:

Choose the user or group that needs the right to change passwords or other additional permissions:

<figure><img src="/files/D00iYLDxOCJll5h6b0Q3" alt="" width="563"><figcaption></figcaption></figure>

3. **Granting Rights**:

* Mark the necessary rights for delegation:
  * **Create, delete, and manage user accounts**
  * **Reset user passwords and force password change at next logon**

<figure><img src="/files/OiwFhewXrC23VL72SPdf" alt="" width="504"><figcaption></figcaption></figure>

{% hint style="info" %}
**Important Note:**

* If you delegate rights to a regular user, to change passwords, they will be able to change passwords for all regular users **except administrators**.
  {% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://enterprise.hideez.com/hideez-server-integration/active-directory-on-premises/import-and-sync-users-from-active-directory-on-premises/active-directory-on-premises-access-and-rights-delegation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.