Lesson 3: Delegating Control

In this lesson, you'll learn how to use Windows 2000 to delegate control of portions of the domain.

After this lesson, you will be able to

• Understand how control is devolved in a Windows 2000 domain.
• Use the Delegation Of Control Wizard to grant users permissions to manage items.

Estimated lesson time: 20 minutes

Using OUs to Delegate Control

Control is distributed in Windows 2000 by means of OUs. A particular user or group can be given permission to manage users, groups, computers, and OUs in Active Directory.

Once you've built your OU hierarchy, you can delegate control for common tasks such as resetting passwords on user accounts. For more specific situations, you can customize how much control a user is given on an object and its attributes. Examples of this delegation include creating a custom delegation that allows your Human Resources department to change the full name and description on all users' logon IDs, or giving permission to managers to create and manage their own OU structures to reflect their departmental hierarchies. This delegation of control is performed within the Active Directory Users And Computers administrative tool.

Practice: Delegating Control of an OU

In this practice, you'll delegate control to the OU structure in the trainkit.microsoft.com domain.

1. Log on to TRAINKIT1 as Administrator with the password secret.
2. Open Active Directory Users And Computers from the Administrative Tools folder.

   In the left pane, you should see the Europe OU structure that you created in Chapter 8.

3. Expand the Europe OU, if necessary, to display the Finance OU.
4. Select the Finance OU.

   You're going to delegate control of the Finance OU to the user Mig1.

5. Right-click the Finance OU and select Delegate Control from the shortcut menu.
6. The Delegation Of Control Wizard opens.
7. Click Next to move past the startup screen.

   Now you must select the users or groups to be delegated control of the Finance OU.

8. Click the Add button and select Mig1 from the list of users that appears.

   TIP

   ---

   You can obtain an alphabetical listing of the users and groups by clicking on Name, just above the user listing. You might have to click Name twice as it will toggle between ascending and descending alphabetical order each time.

9. Click Add to move Mig1 to the bottom window and then click OK to close the dialog box.
10. Click Next to move on to the next screen.
11. Select Delegate The Following Common Tasks and then set the check mark next to Reset Passwords On User Accounts, as shown in Figure 10.10.

    

    Figure 10.10 Delegation of Control Wizard page

12. Click Next and then click Finish on the next screen to complete the wizard.

    The Mig1 user now has the ability to reset the passwords of the users contained in the Finance OU.

13. Log off TRAINKIT1 and log back on again as Mig1 using the password secret.
14. Open Active Directory Users And Computers.
15. Select the Finance OU in the Europe OU.
16. Right-click the user Fin1 and select Properties from the shortcut menu.
17. Try changing any of the properties contained on the tabs.

    You should be able to type information, but the system will abort the task as soon as you click the Apply button.

18. Close the Fin1 Properties dialog box.
19. Right-click Fin1 and select Reset Password from the shortcut menu.
20. Change the password to hopeful and click OK.

    You should see a confirmation message that the password has been changed.

21. Log off TRAINKIT1 as Mig1 and log back on as Fin1 with the new password hopeful to confirm that the password has been changed.
22. Log off TRAINKIT1.

Lesson Summary

In this lesson, you learned how control over items can be delegated to users. You also performed a practice in which you delegated control of the passwords for users in an OU to another user.