MCSE Training Kit, Microsoft Windows 2000 Active Directory Services [Electronic resources]

Jill Spealman

نسخه متنی -صفحه : 113/ 77
نمايش فراداده

Lesson 5: Delegating Administrative Control of Active Directory Objects

In this lesson you will learn that you can delegate administrative control of objects to individuals so that they can perform administrative tasks on the objects. You will learn how to use the Delegation Of Control Wizard to delegate control of objects and the guidelines for delegating control.

After this lesson, you will be able to

Delegate administrative control of OUs and objects

Estimated lesson time: 20 minutes

Guidelines for Delegating Control

You delegate administrative control of objects by assigning permissions to the object to allow users or groups of users to administer the objects. An administrator can delegate the following types of control:

Assign a user the permissions to change properties on a particular container

Assign a user the permissions to create, modify, or delete objects of a specific type in a specific OU or container

Assign a user the permissions to modify specific properties on objects of a specific type in a specific OU or container

Because tracking permissions at the OU or container level is easier than tracking permissions on objects or object attributes, the most common method of delegating administrative control is to assign permissions at the OU or container level. Assigning permissions at the OU or container level allows you to delegate administrative control for the objects that are contained in the OU or container. Use the Delegation Of Control Wizard to assign permissions at the OU or container level.

For example, you can delegate administrative control by assigning Full Control for an OU to the appropriate manager, only within his or her area of responsibility. By delegating control of the OU to the manager, you can decentralize administrative operations and issues. This reduces your administration time and costs by distributing administrative control closer to its point of service.

To help you delegate administrative control, you may want to follow these suggestions:

Assign control at the OU or container level whenever possible. Assigning control at the OU or container level allows for easier tracking of permission assignments. Tracking permission assignments becomes more complex for objects and object attributes.

Use the Delegation Of Control Wizard. The wizard assigns permissions only at the OU or container level. The wizard simplifies the process of assigning object permissions by stepping you through the process.

Track the delegation of permission assignments. Tracking assignments allows you to maintain records to easily review security settings.

Follow business requirements. Follow any guidelines that your organization has in place for delegating control.

Delegation Of Control Wizard

The Delegation Of Control Wizard steps you through the process of assigning permissions at the OU or container level. More specialized permissions must be manually assigned.

In Active Directory Users and Computers, click the OU or container for which you want to delegate control, and then on the Action menu, click Delegate Control to start the wizard.

Table 11.7 describes the Delegation Of Control Wizard options.

Table 11.7 Delegation Of Control Wizard Options

Option Description

Users Or Groups

Select the user accounts or groups to which you want to delegate control.

Tasks To Delegate

Select common tasks from a list or create custom tasks to delegate.

Active Directory Object Type (available only when custom tasks are selected in "Tasks To Delegate")

Select the scope of the tasks you want to delegate, either: This Folder, Existing Objects In This Folder, And Creation Of New Objects In This Folder, or Only The Following Objects In This Folder.

Permissions (available only when custom tasks are selected in "Tasks To Delegate")

Select one of the following permissions to delegate: General—the most commonly assigned permissions that are available for the object Property-Specific—the permissions that you can assign to the attributes of the object Creation/Deletion Of Specific Child Objects—the permissions to create and delete child objects.

Guidelines for Administering Active Directory

The following are best practices for administering Active Directory:

In larger organizations, coordinate your Active Directory structure with other administrators. You can move objects later, but this might create extra work.

When you create Active Directory objects, such as user accounts, complete all attributes that are important to your organization. Completing the attributes gives you more flexibility when you search for objects.

Use deny permissions sparingly. If you assign permissions correctly, you should not need to deny permissions. In most cases, denied permissions indicate mistakes that were made in assigning group membership.

Always ensure that at least one user has Full Control for each Active Directory object. Failure to do so might result in objects being inaccessible.

Ensure that delegated users take responsibility and can be held accountable. You gain nothing if you delegate administrative control without ensuring future accountability. As an administrator, you are ultimately responsible for all of the administrative changes that are made. If the users to whom you delegate responsibility are not performing the administrative tasks, you will need to assume responsibility for their failure.

Provide training for users who have control of objects. Ensure that the users to whom you delegate responsibility understand their responsibilities and know how to perform the administrative tasks.

Practice: Delegating Administrative Control in Active Directory

In this practice you delegate to a user control over objects in an OU. Refer to the tables that you completed in Lesson 2 to answer the questions in this practice.

To test current permissions

Log on to your domain as Assistant1, and type password as the password.

Start Active Directory Users and Computers.

In the console tree, expand your domain, then click Security1.

What user objects are visible in the Security1 OU?

Which permissions allow you to see these objects? (Hint: Refer to your answers in Lesson 2.)

For the user account with the logon name Secretary1, change the logon hours. Were you successful? Why or why not?

For the Assistant1 user account, under which you are currently logged on, change the logon hours. Were you successful? Why or why not?

Close Active Directory Users and Computers and log off Windows 2000.

Answers

To use the Delegation Of Control Wizard to assign Active Directory permissions

Log on to your domain as Administrator and open Active Directory Users and Computers.

In the console tree, expand your domain.

Click Security1, and then on the Action menu, click Delegate Control.

In the Delegation Of Control Wizard, click Next.

The Delegation Of Control Wizard displays the Users Or Groups page.

Notice that the wizard does not display any user accounts or groups. You will add a user account to which to delegate control.

Click Add.

The Select Users, Computers, Or Groups dialog box appears.

Select Assistant1, click Add, then click OK.

Click Next.

The Delegation Of Control Wizard displays the Tasks To Delegate page. Here you can choose to delegate common tasks from a list or create custom tasks to delegate.

For this exercise, confirm that Delegate The Following Common Tasks is selected, click the Create, Delete, And Manage User Accounts check box, then click Next.

The Delegation Of Control Wizard displays the Completing The Delegation Of Control Wizard page.

Review the Summary page.

If all choices reflect the delegation of control on all objects for Assistant1, click Finish.

To make changes, click Back.

Close Active Directory Users and Computers and log off Windows 2000.

To test delegated permissions

Log on to your domain as Assistant1, and type password as your password.

Open Active Directory Users and Computers.

In the console tree, expand your domain, then click Security1.

Attempt to change the logon hours for the Assistant 1 and Secretary1 user accounts in the Security1 OU.

Were you successful? Why or why not?

Attempt to change the logon hours for a user account in the Users container.

Were you successful? Why or why not?

Close Active Directory Users and Computers and log off Windows 2000.

Answers

Lesson Summary

In this lesson you learned that you can delegate administrative control of objects to individuals so that they can perform administrative tasks on the objects. Assigning permissions at the OU or container level allows you to delegate administrative control for the objects that are contained in the OU or container. You learned how to use the Delegation Of Control Wizard to delegate control of objects and the guidelines for delegating control. In the practice portion of this lesson you used the Delegation Of Control Wizard to delegate to a user control over objects in an OU.