How to Set Permissions in Active Directory for Users

Permission settings can be done with third-party management tools

by Henderson Jayden Harper
Henderson Jayden Harper
Henderson Jayden Harper
Passionate about technology, Crypto, software, Windows, and everything computer-related, he spends most of his time developing new skills and learning more about the tech world. He also enjoys... read more
Reviewed by Alex Serban
Alex Serban
Alex Serban
Windows Server & Networking Expert
After moving away from the corporate work-style, Alex has found rewards in a lifestyle of constant analysis, team coordination and pestering his colleagues. Holding an MCSA Windows Server... read more
Affiliate Disclosure
  • Active Directory permissions determine how much privilege you have to access and modify files, folders, and functions on the Active Directory.
  • Administrators can set permissions in the Active Directory via the Group Policy Management Console.
  • You can also use Active Directory management third-party tools like ManageEngine ADManager Plus to manage Active Directory permissions.
how to set permissions in active directory users
ManageEngine ADManager Plus simplifies the Active Directory (AD) processes and workflows so your IT manager can focus on the more important things. AD, Exchange, Microsoft 365, and Microsoft Teams management and reporting are all covered!

  • Create multiple user accounts in one go
  • Modify the attributes of multiple users at once using CSV file import
  • Enable or disable users, and set account expiration dates of users in bulk
  • Change passwords of a single or multiple users

Manage all the Active Directory (AD) processes and workflows with one tool!

The Active Directory is a tool for managing remote computers by users with Administrative access and granting permissions to users. It allows users with permission access to privileges not allowed for other users. Hence, we’ll take you through how to set permissions in Active Directory users.

Also, you can read our article about An account with the same name that exists in Active Directory and how to fix it.

What are permissions in Active Directory?

Access to use and make changes in the Active Directory is limited to a specific set of people with privileges that allow them access to them. These access privileges are permissions in the Active Directory granted to users or groups that permit them to interact with objects.

Furthermore, there are Standard and Special types of permissions in Active Directory. Standard permission allows users to read, write, and have total control.

In addition, special permissions allow the user to modify object permissions or owners, change settings, etc. Check our guide about the best practices for Active Directory to apply now.

How do I set permissions in Active Directory for users?

1. Via the Group Policy Management Console (GPMC)

  1. Press Windows + R key to open the Run dialog box, type gpmc.msc, and click OK to open the Group Policy Management console.
  2. Right-click on the Group Policy Objects icon and select New from the drop-down.
  3. Input a Name, set the Source Starter GPO option as none, and click OK.
  4. Right-click on the new GPO and select Edit GPO from the drop-down.
  5. On the Group Policy Management Editor window, go to Computer Configuration\Windows Settings\Security Settings\
  6. Right-click on File System, then select Add File from the drop-down.
  7. Locate and click on the folder you want to assign permissions, then press OK.
  8. On the Database Security page, click the Advanced button.
  9. In the Permissions tab, click Add to create and assign permission to a new user, select an existing user you want to assign permission to, and press Edit.
  10. On the Permission Entry for Users window, view the list of permissions you can choose, then check the box for Allow or Deny against a Permission.
  11. Click the drop-down button against the Apply onto option, then select where you want to apply the permissions.
  12. Press OK to save the permissions settings.

The above steps will assign the selected privileges to the user and allow access to the selected folder or credentials without requesting permission.

2. Set Permissions for Delegated Authentication

Note icon
This solution is applied in the Active Directory of Windows Server.
  1. Press Windows + R key to open the Run dialog box, type dsa.msc, then press OK to open the Active Directory Users and Computers.
  2. Right-click the user, group, or organizational unit (OU) to delegate, then click the Delegate Control button.
  3. Click Next on the Delegation of Control wizard, and click Add.
  4. On the Select Users, Computers, or Groups dialog box, enter the username or group name you want to grant permissions to configure delegated authentication.
  5. Click Check Names to verify that the user or group has been created in Active Directory, click OK, then click the Next button.
  6. Select the Delegate the following common tasks option, then select the Reset user passwords and force password change at the next logon option.
  7. Click Next, then click Finish.
  8. Right-click on the modified user or group, and select Properties from the drop-down.
  9. Select the Security tab, and then click Advanced.
  10. Click the Add button on the Advanced Security Settings.
  11. On the Permission Entry wizard, click Select a principal, enter the username or group name granted the reset permission, then click OK.
  12. Select Descendant User objects on the Applies to the field to show the list of permissions allowed for the user account.
  13. Scroll down, enable Read lockoutTime, and Write lockoutTime, then click OK.
  14.  Click OK to end the setup.

Expert tip:


Some PC issues are hard to tackle, especially when it comes to corrupted repositories or missing Windows files. If you are having troubles fixing an error, your system may be partially broken.
We recommend installing Restoro, a tool that will scan your machine and identify what the fault is.
Click here to download and start repairing.

The above steps grant the user account permission to change the passwords of all the user objects in the administrative directory.

Read our guide on enabling Active Directory Users and Computers in Windows 11 if you can’t access it with step 1.

3. Use a reliable third-party tool

  1. Sign in to ADManager Plus.
  2. Navigate to AD Mgmt, select File Server Management, then click on Modify NTFS permissions.
  3. Choose which folders you want to enable a user or group to access.
  4. Go to the Accounts tab and choose the users or groups you want to grant permission to access the folder.
  5. Click the Modify button to save the permissions changes.

Administrators can use third-party Active Directory management tools to manage permissions delegation to objects in the Active Directory. Our best recommendation for a third-party Active Directory permissions management tool is ManageEngine ADManager Plus.

ADManager Plus

Manage all your endpoints and their permission with a complete solution that makes it all easier!

Free trial Visit website

Further, our readers can check how to install Active Directory on Windows Server.

Also, we have a detailed guide on how to demote a dominant controller on Windows Servers in a simple way.

In conclusion, these are the best ways to set permissions in Active Directory. Should you have further questions or suggestions, kindly use the comments section.

Still having issues? Fix them with this tool:


If the advices above haven't solved your issue, your PC may experience deeper Windows problems. We recommend downloading this PC Repair tool (rated Great on to easily address them. After installation, simply click the Start Scan button and then press on Repair All.

This article covers:Topics: