Delegation Tasks |
The console you use to perform delegation depends on which directory object you are delegating authority over:
To delegate control over domains and OUs, use Active Directory Users and Computers. See Active DirectoryTools for more information about this console.
To delegate control over sites, use Active Directory Sites and Services. See SiteTools for more information about this console.
For both of these consoles, delegation is performed using the Delegation of Control Wizard.
Active Directory Users and Computers right-click on a domain Delegate Control Next select users or groups specify tasks to delegate
The three options here are:
Join a computer to the domain.
Manage Group Policy links.
Create a custom task to delegate.
You can choose one or both of the first two options. If you choose the third option, the other two become unavailable and the wizard can continue two different ways:
Create a custom task to delegate delegate control over all objects in this folder specify permissions to delegate for the objects you selected
Create a custom task to delegate delegate control over some objects in the folder select objects to delegate authority over choose whether to also delegate create/delete permissions for the objects you selected specify permissions to delegate for the objects you selected
For example, you can grant specified users or groups Full Control permission over all Computer accounts in your domain.
Active Directory Users and Computers right-click on an OU Delegate Control
The wizard proceeds the same as before except that the list of tasks available for delegation is more extensive (and more useful) than when delegating authority over a domain. For example, you can delegate the right to:
Create, delete, and manage user accounts
Reset user passwords and force password change at next logon
Read all user information
Create, delete, and manage groups
Modify the membership of a group
Manage Group Policy links
Generate Resultant Set of Policy
The term site object in this context refers to:
The Sites container
A particular site (including the Default-First-Site- Name object)
A Servers folder beneath a particular site object
The Inter-Site Transports container
The Subnets container
To delegate control over a site object:
Active Directory Sites and Services right-click on site Delegate Control Next select users or groups specify tasks to delegate
For any site object that is not a particular site, the only option you have is to create a custom task to delegate. For sites, you can also choose either to delegate Manage Group Policy Links or to create a custom task instead.
You can modify Active Directory permissions that have been assigned to users and groups using the Delegation of Control Wizard, but to do so for domains or OUs requires making the advanced portions of Active Directory visible:
Active Directory Users and Groups View toggle Advanced Features on right-click on domain or OU Properties Security select user or group modify permissions as desired
You really need to know what you're doing before you start playing around with Active Directory permissions this way! This also highlights a flaw in this wizard-based approach to delegationyou can use the wizard to delegate, but you can't use it to undo what you delegatedyou have to do this manually!