dcsimg

Learn AD in 15 Minutes a Week: AD Delegation of Authority - Delegating Administrative Control Page 2

By ServerWatch Staff (Send Email)
Posted Sep 5, 2002


Delegation of Control Wizard

The Delegation of Control Wizard is used to set specific permissions on Active Directory objects, allowing specific users or groups to gain the appropriate delegated control over the required objects.

By using the Delegation of Control Wizard and deploying a specific organizational unit hierarchy, as well as properly planning user groups and appropriate permissions, you can designate administrative control to a user or a particular group of users so that they have the required level of administration to perform their job function.

You can define the detail of the required administration by adjusting the properties on a given Active Directory object, usually an Organizational Unit, creating, deleting and/or moving objects of a specific type under those organizational units that require administrative control, and adjusting specific properties on objects of a specific type, such as allowing the delegate to reset a password or create child objects.

You can start the Delegation of Control Wizard from within Active Directory Users and Computers by first right clicking on the organizational unit you want to allow delegate control and then choosing Delegate Control to launch the Delegation of Control Wizard from the pop up menu. Click Next to bypass the Welcome page. You will next see the Users Or Groups page.

Click Add to open the Select Users, Computers, Or Groups dialog box.

Select the users or groups to which you want to delegate control, and select Next to open the Users and Groups page, where you select a group to which you want to assign permissions. From here you click Next to assign tasks to delegate from the standard list.



The Create, delete, and manage user accounts common task assigns the delegate(s) the permission to create, delete, and modify user accounts and the attributes of all user accounts in the selected Organizational Unit.

The Reset passwords on a user account common task assigns the delegate(s) the permission to change the passwords of all user accounts in the selected Organizational Unit.

The Read all user information common task assigns the delegate(s) the permission to read all the attributes of the objects in the selected Organizational Unit.

The Create, delete, and manage groups common task assigns the delegate(s) the permission to edit, create, or delete, group accounts and attributes of all group accounts in the selected Organizational Unit.

The Modify the membership of a group common task assigns the delegate(s) the permission to change the members of groups in the selected Organizational Unit.

The Manage Group Policy links common task assigns the delegate(s) the permission to edit, add or delete Group Policy links for the selected Organizational Unit.

After you delegate a common task or tasks, you can end the wizard by clicking Next to display the "Completing the Delegation of Control Wizard" screen.

[NOTES FROM THE FIELD] - You can also elect to Create a custom task to delegate from the Tasks to Delegate screen by selecting the radio button with the same name and choosing Next instead of choosing one of the Common Tasks.


Well, that wraps up this section of Learn Active Directory Design and Administration in 15 Minutes a Week covering the Windows 2000 Active Directory Delegation of Authority - Delegating Administrative Control. I hope you found it informative and will return for the next installment.

If you have any questions, comments or even constructive criticism, please feel free to drop me a note.

I want to write good, solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.

Until then, best of luck in your studies and remember,


"If CON is the opposite of PRO, then what is the opposite of progress?"


Jason Zandri
Jason@Zandri.net

www.2000trainers.com


Page 2 of 2


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.