Learn AD in 15 Minutes a Week: AD Delegation of Authority – Delegating Administrative Control Page 2

Delegation of Control Wizard

The
Delegation of Control Wizard is used to set specific
permissions on Active Directory objects, allowing specific
users or groups to gain the appropriate delegated control over
the required objects.

By using
the Delegation of Control Wizard and deploying a specific
organizational unit hierarchy, as well as properly planning
user groups and appropriate permissions, you can designate
administrative control to a user or a particular group of
users so that they have the required level of administration
to perform their job function.

You can
define the detail of the required administration by
adjusting the properties on a given Active Directory object,
usually an Organizational Unit, creating, deleting and/or
moving objects of a specific type under those organizational
units that require administrative control, and adjusting
specific properties on objects of a specific type, such as
allowing the delegate to reset a password or create child
objects.

You can
start the Delegation of Control Wizard from within Active
Directory Users and Computers by first right clicking on the
organizational unit you want to allow delegate control and
then choosing Delegate Control to launch the Delegation of Control
Wizard from the pop up menu. Click Next to bypass the
Welcome page. You will next see the Users Or Groups page.

Click Add
to open the Select Users, Computers, Or Groups dialog box.

Select the
users or groups to which you want to delegate control, and
select Next to open the Users and Groups page, where you
select a group to which you want to assign permissions.
From here you click Next to assign tasks to delegate from the standard list.

The
Create, delete, and manage user accounts common task
assigns the
delegate(s)
the permission to create, delete, and modify user accounts
and the attributes of all user accounts in the selected
Organizational Unit.

The
Reset passwords on a user account common task assigns
the
delegate(s)
the permission to change the passwords of all user accounts
in the selected Organizational Unit.

The Read
all user information common task assigns the
delegate(s)
the permission to read all the attributes of the objects in the selected Organizational
Unit.

The
Create, delete, and manage groups common task assigns
the
delegate(s)
the permission to edit, create, or delete, group accounts
and attributes of all group accounts in the selected
Organizational Unit.

The
Modify the membership of a group common task assigns the
delegate(s) the
permission to change the members of groups in the selected
Organizational Unit.

The
Manage Group Policy links common task
assigns the delegate(s)
the permission to edit, add or delete Group Policy links
for the selected Organizational Unit.

After you
delegate a common task or tasks, you can end the wizard by
clicking Next to display the “Completing the Delegation of
Control Wizard” screen.

[NOTES
FROM THE FIELD] – You can also elect to Create a
custom task to delegate from the Tasks to Delegate
screen by selecting the radio button with the same name and
choosing Next instead of choosing one of the Common Tasks.

Well, that wraps up this section
of Learn Active Directory Design and Administration in 15
Minutes a Week covering the Windows 2000 Active Directory
Delegation of Authority – Delegating Administrative Control. I hope
you found it informative and will return for the next
installment.

If you have any questions, comments or
even constructive criticism, please feel free to drop me a
note.

I want to write good, solid technical
articles that appeal to a large range of readers and skill
levels and I can only be sure of that through your feedback.

Until then, best of luck in your
studies and remember,

“If
CON is the opposite of PRO, then what is the opposite of
progress?”

Jason Zandri
Jason@Zandri.net

www.2000trainers.com