لطفا منتظر باشید ...
Publisher| DelegationConcepts |
granting
users limited control over portions of Active Directory. This
distributes the administrative burden of managing Active Directory to
trusted users and groups in an enterprise, thus easing the workload
for administrators.
Delegation Strategies
There are two ways to delegate authority over Active Directory:
- Object-based delegation
One way of delegating
administrative privileges in Active
Directory is to assign permissions over specific types of objects
contained in sites, domains, or OUs to specific users or groups.
These objects can include computers, users, groups, printers, and so
on. For example, an administrator could delegate Full Control
permission over computer objects in an OU called Web Servers to a
Webmasters global group, giving members of this group full control
over the servers in their department.- Task-based delegation
Another way of performing
delegation
is to delegate the authority to perform a particular task for a site,
domain, or OU to specific users or groups. For example, an
administrator could delegate authority over a domain to a global
group called CompAdmins to perform the task "Add a
computer to the domain."
In addition, you can delegate the power to delegate by delegating the
permission to assign permissions on objects to users and groups. By
doing this, you can empower trusted users to entrust others with
limited administrative privileges. This sounds like a good idea, but
if not documented properly, you will soon lose track of who can do
what on your network.When delegating authority over objects or tasks, always delegate
administrative authority over directory objects to groups, not to
users. This simplifies Active Directory administration in the long
run as your company grows and reorganizes. Nesting groups is a
powerful technique that can simplify complex administration.When choosing which directory objects to delegate authority over,
note that delegating authority at the OU level is generally
preferable to doing so at the site or domain level. When delegating
authority at the OU level, do so at the highest level possible to
take advantage of inheritance, which simplifies the assignment of
Active Directory permissions. You can also override the permissions
that a child object might inherit from its parent object. This is
called blocking and prevents future changes to the
parent's permissions from flowing to the child.
Blocking makes permissions hierarchies more complicated and should be
avoided unless absolutely necessary. Instead, it's
better to move objects you want to block to a different OU and assign
suitable permissions to that OU.
