Here is the situation: We have a Windows 2012 server running Active Directory, which manages the logins for all of our network resources. So far, whenever a new user needs to be added, one of the office staff has to talk to us techies and ask us to add the user(s) for them. We have agreed it would be more convenient for everyone if they had the option to add users themselves. However, we do not want to give the staff the ability to manage EVERY aspect of the server, which is what would happen if we simply made them admins.
From what I understand, what we want to do is give these users Remote Desktop access, and then give them fine-grained permissions so that they can manage AD, and only AD. However, I have tried Googling this whole matter, and maybe I am just using the wrong keywords, but I can't find anything that tells me how to do this*. Can someone help me? Alternatively, if this is not how it is done, or if there is a better way, what would it be?
*I'm having trouble with the fine-grained permissions part. I have no issue giving staff remote access
Thanks for any advice!