Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

The console you use to perform delegation depends on which directory
object you are delegating authority over:

• To delegate control over domains and OUs, use Active Directory Users
  and Computers. See

  Active DirectoryTools
  for more information about this console.

• To delegate control over sites, use Active Directory Sites and
  Services. See

  SiteTools for more
  information about this console.

For both of these consoles, delegation is performed using the
Delegation of Control Wizard.

Delegate Authority over a Domain

Active Directory Users
and Computers right-click on a domain Delegate Control Next select users or groups specify tasks to delegate

The three options here are:

• Join a computer to the domain.

• Manage Group Policy links.

• Create a custom task to delegate.

You can choose one or both of the first two options. If you choose
the third option, the other two become unavailable and the wizard can
continue two different ways:

Create a custom task to delegate delegate control over all
objects in this folder specify permissions to delegate for
the objects you selected

Create a custom task to delegate delegate control over
some objects in the folder select objects to delegate
authority over choose whether to also delegate
create/delete permissions for the objects you selected
specify permissions to delegate for the objects you selected

For example, you can grant specified users or groups Full Control
permission over all Computer accounts in your domain.

Delegate Authority over an OU

Active Directory Users and Computers right-click on an OU Delegate Control

The wizard proceeds the
same as before except that the list
of tasks available for delegation is more extensive (and more useful)
than when delegating authority over a domain. For example, you can
delegate the right to:

• Create, delete, and manage user accounts

• Reset user passwords and force password change at next logon

• Read all user information

• Create, delete, and manage groups

• Modify the membership of a group

• Manage Group Policy links

• Generate Resultant Set of Policy

Delegate Authority over a Site Object

The term

site object in this
context refers
to:

• The Sites container

• A particular site (including the Default-First-Site-Name object)

• A Servers folder beneath a particular site object

• The Inter-Site Transports container

• The Subnets container

To delegate control over a site object:

Active Directory Sites and Services right-click on site Delegate Control Next select users or groups specify tasks to delegate

For any site object that is not a particular site, the only option
you have is to create a custom task to delegate. For sites, you can
also choose either to delegate Manage Group Policy Links or to create
a custom task instead.

Modify Delegated Permissions

You can modify Active Directory

permissions that have been assigned
to users and groups using the Delegation of Control Wizard, but to do
so for domains or OUs requires making the advanced portions of Active
Directory visible:

Active Directory Users and Groups View toggle Advanced Features on right-click on domain or OU Properties Security select user or group modify permissions as desired

You really need to know what you're doing before you
start playing around with Active Directory permissions this way! This
also highlights a flaw in this wizard-based approach to
delegationyou can use the wizard to delegate, but you
can't use it to undo what you delegatedyou
have to do this manually!