11.5. Planning and Implementing an Administrative Delegation Strategy Delegate control of Active Directory objects to grant users permission to manage specific types of objects stored in Active Directory. You want to delegate permissions in such a way that users can perform necessary tasks while preventing them from performing tasks that they should not perform. Determining the tasks that users with limited administrative permissions should be able to perform requires planning. You might need to meet with the user to discuss their job responsibilities or ask a manager about the user's responsibilities. 11.5.1. Planning for Delegation Delegation can be used at the domain level and at the organizational unit level. You can: Grant full control over an OU This allows a local administrator to create and manage all accounts and resources in the OU. For example, you might want local administrators to be able to manage all types of accounts and resources in their area of responsibility. Grant full control over specific types of objects in an OU This allows a local administrator to create and manage a specific type of object. For example, you might want local administrators to be able to manage users and groups but not be able to manage computer accounts. Grant full control over specific types of object in a domain This allows an administrator to create and manage specific types of objects in a domain. Thus, rather than adding the user as a member of the Administrators group, you grant the user full control over the specific types of objects they need to manage to perform their jobs. For example, you might have user account administrators who are allowed to create and manage user accounts throughout the domain, but are not allowed to perform other administrative tasks. Grant rights to perform specific tasks in a domain or OU This allows a user to perform a specific task. For example, you might want to allow help desk staff to reset user passwords but not allow them to perform other administrative tasks on Active Directory objects. When you delegate permissions, don't forget about inheritance. Lower level objects inherit permissions from top-level objects. In a domain, the top-level object is the domain object itself. Any user designated as an administrator for a domain automatically has full control over the domain. Any user delegated permissions at the domain level has those permissions for all organizational units in the domain. Similarly, any user delegated permissions in a top-level organizational unit has those permissions for all organizational units that are created within the top-level organizational unit. 11.5.2. Delegating Administration You can delegate administration of a domain or organizational unit by completing the following steps: Start Active Directory Users And Computers from the Administrative Tools menu. Right-click the organizational unit for which you want to delegate administration and then select Delegate Control. This starts the Delegation Of Control Wizard starts. Click Next. On the Users Or Groups page, shown in Figure 11-14, click Add to display the Select Users, Computers, Or Groups dialog box. Use the Select Users, Computers, Or Groups dialog box to select the user or group to which you are delegating permissions. Repeat this step as necessary. Figure 11-14. Specify the users or groups to which you are delegating permissions. Click Next. On the Tasks To Delegate page, select the tasks you want to delegate, as shown in Figure 11-15. You also have the option to create a custom task, which allows you to specify permissions for various objectssuch as users, groups, or computerswithin the organizational unit. Figure 11-15. Specify the administrative tasks to delegate. Click Next, and then click Finish. As with all other security permissions assigned to an object, users or groups who have been delegated permissions are listed on the Security tab in the organizational unit's properties dialog box. In most cases, a user or group delegated administration permissions will be listed as having Special Permissions. Rather than trying to edit advanced security settings, the best way to change delegated permissions is to do one of the following: If you want to grant the user or group additional administrative permissions while keeping current permissions, start the Delegation Of Control Wizard and use the wizard to grant the additional permissions. If you want to define a new set of delegated administrative permissions for a user or group, access the Security tab in the organizational unit's properties dialog box. Remove the current permissions for the user or group. Start the Delegation Of Control Wizard and use the wizard to grant the desired permissions. Tip: The Delegation Of Control Wizard cannot be used to remove any delegated privileges. You must access the Security tab of the object's properties dialog box to do this. |