In this lesson, you'll learn how to use Windows 2000 to delegate control of portions of the domain.
After this lesson, you will be able to
Estimated lesson time: 20 minutes
Control is distributed in Windows 2000 by means of OUs. A particular user or group can be given permission to manage users, groups, computers, and OUs in Active Directory.
Once you've built your OU hierarchy, you can delegate control for common tasks such as resetting passwords on user accounts. For more specific situations, you can customize how much control a user is given on an object and its attributes. Examples of this delegation include creating a custom delegation that allows your Human Resources department to change the full name and description on all users' logon IDs, or giving permission to managers to create and manage their own OU structures to reflect their departmental hierarchies. This delegation of control is performed within the Active Directory Users And Computers administrative tool.
In this practice, you'll delegate control to the OU structure in the trainkit.microsoft.com domain.
In the left pane, you should see the Europe OU structure that you created in Chapter 8.
You're going to delegate control of the Finance OU to the user Mig1.
Now you must select the users or groups to be delegated control of the Finance OU.
TIP
You can obtain an alphabetical listing of the users and groups by clicking on Name, just above the user listing. You might have to click Name twice as it will toggle between ascending and descending alphabetical order each time.
Figure 10.10 Delegation of Control Wizard page
The Mig1 user now has the ability to reset the passwords of the users contained in the Finance OU.
You should be able to type information, but the system will abort the task as soon as you click the Apply button.
You should see a confirmation message that the password has been changed.
In this lesson, you learned how control over items can be delegated to users. You also performed a practice in which you delegated control of the passwords for users in an OU to another user.