Lesson 5: Delegating Administrative Control of Active Directory Objects

Previous page
Table of content
Next page

In this lesson you learn that you can delegate administrative control of objects to individuals so that they can perform administrative tasks on the objects. You also learn how to use the Delegation Of Control wizard to delegate control of objects and the guidelines for delegating control.

After this lesson, you will be able to

  • Delegate administrative control of OUs and objects

Estimated lesson time: 20 minutes

Guidelines for Delegating Control

You delegate administrative control of objects by assigning permissions to the object to allow users or groups of users to administer the objects. An administrator can delegate the following types of control:

  • Assign a user the permissions to change properties on a particular container.
  • Assign a user the permissions to create, modify, or delete objects of a specific type in a specific OU or container.
  • Assign a user the permissions to modify specific properties on objects of a specific type in a specific OU or container.

Because tracking permissions at the OU or container level is easier than tracking permissions on objects or object attributes, the most common method of delegating administrative control is to assign permissions at the OU or container level. Assigning permissions at the OU or container level allows you to delegate administrative control for the objects that are contained in the OU or container. Use the Delegation Of Control wizard to assign permissions at the OU or container level.

For example, you can delegate administrative control by assigning Full Control for an OU to the appropriate manager, giving them control only within his or her area of responsibility. By delegating control of the OU to the manager, you can decentralize administrative operations and issues. This reduces your administration time and costs by distributing administrative control closer to its point of service.

To help you delegate administrative control, you may want to follow these suggestions:

  • Assign control at the OU or container level whenever possible. Assigning control at the OU or container level allows for easier tracking of permission assignments. Tracking permission assignments becomes more complex for objects and object attributes.
  • Use the Delegation Of Control wizard. The wizard assigns permissions only at the OU or container level. The wizard simplifies the process of assigning object permissions by stepping you through the process.
  • Track the delegation of permission assignments. Tracking assignments allows you to maintain records to easily review security settings.
  • Follow business requirements. Follow any guidelines that your organization has in place for delegating control.

Delegation Of Control Wizard

The Delegation Of Control wizard steps you through the process of assigning permissions at the OU or container level. More specialized permissions must be manually assigned.

In Active Directory Users And Computers, click the OU or container for which you want to delegate control, and then on the Action menu, click Delegate Control to start the wizard.

Table 19.4 describes the Delegation Of Control wizard options.

Table 19.4 Delegation Of Control Wizard Options

Option Description
Users Or Groups Allows you to select the user accounts or groups to which you want to delegate control.
Tasks To Delegate Allows you to select common tasks from a list or create custom tasks to delegate.
Active Directory Object Type (available only when custom tasks are selected in "Tasks To Delegate") Allows you to select the scope of the tasks you want to delegate, either This Folder, Existing Objects In This Folder, and Creation Of New Objects In This Folder or Only The Following Objects In This Folder.
Permissions (available only when custom tasks are selected in "Tasks To Delegate") Select one of the following permissions to delegate:

General—the most commonly assigned permissions that are available for the object

Property-Specific—the permissions that you can assign to the attributes of the object

Creation/Deletion Of Specific Child Objects—the permissions to create and delete child objects.

Guidelines for Administering Active Directory

The following are best practices for administering Active Directory:

  • In larger organizations, coordinate your Active Directory structure with other administrators. You can move objects later, but this might create extra work.
  • When you create Active Directory objects, such as user accounts, complete all attributes that are important to your organization. Completing the attributes gives you more flexibility when you search for objects.
  • Use deny permissions sparingly. If you assign permissions correctly, you should not need to deny permissions. In most cases, denied permissions indicate mistakes that were made in assigning group membership.
  • Always ensure that at least one user has Full Control for each Active Directory object. Failure to do so might result in objects being inaccessible.
  • Ensure that delegated users take responsibility and can be held accountable. You gain nothing if you delegate administrative control without ensuring future accountability. As an administrator, you are ultimately responsible for all of the administrative changes that are made. If the users to whom you delegate responsibility are not performing the administrative tasks, you will need to assume responsibility for their failure.
  • Provide training for users who have control of objects. Ensure that the users to whom you delegate responsibility understand their responsibilities and know how to perform the administrative tasks.

Practice: Delegating Administrative Control in Active Directory

In this practice you delegate to a user control over objects in an OU. Refer to the tables that you completed in Lesson 2 to answer the questions in this practice.

Exercise 1: Test Current Permissions

In this exercise, you will determine what permissions currently exist.

  1. Log on to your domain as Assistant1, and type password as the password.
  2. Start Active Directory Users And Computers.
  3. In the console tree, expand your domain, and then click Security1.

    What user objects are visible in the Security1 OU?

    Which permissions allow you to see these objects? (Hint: Refer to your answers in Lesson 2.)

    For the user account with the logon name Secretary1, change the logon hours. Were you successful? Why or why not?

    For the Assistant1 user account, under which you are currently logged on, change the logon hours. Were you successful? Why or why not?

    Answer

  4. Close Active Directory Users And Computers and log off Windows 2000.

Exercise 2: Use the Delegation Of Control Wizard to Assign Active Directory Permissions

In this exercise, you delegate the control of Active Directory permissions for the OU to user Assistant1.

  1. Log on to your domain as Administrator and open Active Directory Users and Computers.
  2. In the console tree, expand your domain.
  3. Click Security1, and then on the Action menu, click Delegate Control.
  4. In the Delegation Of Control wizard, click Next.

    The Delegation Of Control wizard displays the Users Or Groups page.

    Notice that the wizard does not display any user accounts or groups. You will add a user account to which to delegate control.

  5. Click Add.

    The Select Users, Computers, Or Groups dialog box appears.

  6. Select Assistant1, click Add, and then click OK.
  7. Click Next.

    The Delegation Of Control wizard displays the Tasks To Delegate page. Here you can choose to delegate common tasks from a list or create custom tasks to delegate.

  8. For this exercise, confirm that Delegate The Following Common Tasks is selected, click the Create, Delete, And Manage User Accounts check box, and then click Next.

    The Delegation Of Control wizard displays the Completing The Delegation Of Control Wizard page.

  9. Review the Summary page.
    • If all choices reflect the delegation of control on all objects for Assistant1, click Finish.
    • To make changes, click Back.
  10. Close Active Directory Users And Computers and log off Windows 2000.

Exercise 3: Test Delegated Permissions

In this exercise, you test to confirm that Assistant1 has the permissions you delegated in the prior exercise.

  1. Log on to your domain as Assistant1, and type password as your password.
  2. Open Active Directory Users And Computers.
  3. In the console tree, expand your domain, and then click Security1.
  4. Attempt to change the logon hours for the user accounts in the Security1 OU.

    Were you successful? Why or why not?

    Answer

  5. Attempt to change the logon hours for a user account in the Users container.

    Were you successful? Why or why not?

    Answer

  6. Close Active Directory Users And Computers and log off Windows 2000.

Lesson Summary

In this lesson, you learned that you can delegate administrative control of objects to individuals so that they can perform administrative tasks on the objects. Assigning permissions at the OU or container level allows you to delegate administrative control for the objects that are contained in the OU or container. You learned how to use the Delegation Of Control wizard to delegate control of objects and the guidelines for delegating control. In the practice portion of this lesson, you used the Delegation Of Control wizard to delegate to a user control over objects in an OU.


Previous page
Table of content
Next page
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 244
BUY ON AMAZON
MySQL Stored Procedure Programming
Beginning Cryptography with Java
Managing Enterprise Systems with the Windows Script Host
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
What is Lean Six Sigma
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy