Professional Windows Server 1002003 Security A Technical Reference [Electronic resources]

The console you use to perform delegation depends on which directory object you are delegating authority over:

• To delegate control over domains and OUs, use Active Directory Users and Computers. See

  Active DirectoryTools for more information about this console.

• To delegate control over sites, use Active Directory Sites and Services. See

  SiteTools for more information about this console.

For both of these consoles, delegation is performed using the Delegation of Control Wizard.

Delegate Authority over a Domain

Active Directory Users and Computers right-click on a domain Delegate Control Next select users or groups specify tasks to delegate

The three options here are:

• Join a computer to the domain.

• Manage Group Policy links.

• Create a custom task to delegate.

You can choose one or both of the first two options. If you choose the third option, the other two become unavailable and the wizard can continue two different ways:

Create a custom task to delegate delegate control over all objects in this folder specify permissions to delegate for the objects you selected

Create a custom task to delegate delegate control over some objects in the folder select objects to delegate authority over choose whether to also delegate create/delete permissions for the objects you selected specify permissions to delegate for the objects you selected

For example, you can grant specified users or groups Full Control permission over all Computer accounts in your domain.

Delegate Authority over an OU

Active Directory Users and Computers right-click on an OU Delegate Control

The wizard proceeds the same as before except that the list of tasks available for delegation is more extensive (and more useful) than when delegating authority over a domain. For example, you can delegate the right to:

• Create, delete, and manage user accounts

• Reset user passwords and force password change at next logon

• Read all user information

• Create, delete, and manage groups

• Modify the membership of a group

• Manage Group Policy links

• Generate Resultant Set of Policy

Delegate Authority over a Site Object

The term

site object in this context refers to:

• The Sites container

• A particular site (including the Default-First-Site-Name object)

• A Servers folder beneath a particular site object

• The Inter-Site Transports container

• The Subnets container

To delegate control over a site object:

Active Directory Sites and Services right-click on site Delegate Control Next select users or groups specify tasks to delegate

For any site object that is not a particular site, the only option you have is to create a custom task to delegate. For sites, you can also choose either to delegate Manage Group Policy Links or to create a custom task instead.

Modify Delegated Permissions

You can modify Active Directory permissions that have been assigned to users and groups using the Delegation of Control Wizard, but to do so for domains or OUs requires making the advanced portions of Active Directory visible:

Active Directory Users and Groups View toggle Advanced Features on right-click on domain or OU Properties Security select user or group modify permissions as desired

You really need to know what you're doing before you start playing around with Active Directory permissions this way! This also highlights a flaw in this wizard-based approach to delegationyou can use the wizard to delegate, but you can't use it to undo what you delegatedyou have to do this manually!