One of the most remarkable features that Active Directory realizes is the possibility of delegating all or part of administrative power over an OU or a directory container to a group or a user (in both Windows 2000 and Windows .NET domains). Delegation of control is essentially the same thing as "wizard-aided" granting of permissions on Active Directory objects to a user or group. You can manually assign the permissions necessary for performing this administrative task to a user or group, but this process is considerably simplified thanks to the Delegation of Control Wizard. Delegating control is quite a simple operation, and problems are only possible when delegated tasks are being revoked from the user or group.
An administrator can delegate control (i.e., use the Delegation of Control Wizard rather than manually assign permissions) for the following Active Directory objects (common administrative tasks are cited in parentheses):
In the Active Directory Sites and Services snap-in (typical permissions are Full Control, Read/Write, Create/Delete All Child Objects, Read/Write All Properties):
Inter-Site Transport container
A site(s) (only Manage Group Policy links task)
Server container in site(s)
In the Active Directory Users and Computers snap-in (the list of available permissions depends on the type of Active Directory container):
Entire domain (Join a computer to the domain; Manage Group Policy links)
Organizational unit (Create, delete, and manage user account; Reset passwords on user accounts; Read all user information; Create, delete, and manage groups; Modify the membership of a group; and Manage Group Policy links. In Windows .NET, there are a few additional tasks.)
Remember that the Authenticated Users group (i.e., any logged on user) by default has permission to add 10 computers to a domain. This group has permission to Read All Properties of a domain object; consequently, the group can read the value of the ms-DS-MachineAccountQuota attribute, which by default is equal to 10. (This value can be viewed or modified by using the ADSI Edit snap-in.) Draw your own conclusions. (You might want to change this situation.)
To start the process of delegating control, run the appropriate snap-in, point to an Active Directory container, OU, or the domain itself in the tree pane, and select the Delegate control command on the context or Action menu. Depending on the container type, you can select a common task(s) or create a custom task. In the first case, you use a pre-defined set of permissions, while in the second case, you select objects and permissions yourself, which allows you to be more specific in delegating the administrative rights.
Although it is very simple to delegate control, revoking administrative rights from a user or a group requires a bit more effort and clearer understanding of the process. You must turn on the Advanced Features mode (see the previous chapter), select the container over which control has been delegated, and open the Security tab in the container's Properties window. Then, find the permissions and access control settings for the user or the group, and delete them. By doing so, you are editing the ACL entries for a directory object. Delegation of control is done using the same process, but is simplified thanks to the wizard. Understanding this aspect will help you to manipulate directory objects easily and flexibly and, as a result, to tune Active Directory accordingly to fit your tasks.
Look at Fig. 8.5. The Delegation of Control Wizard has been executed twice. First, the permission to join computers to the domain has been delegated to the Admins group. (You can see that permission as inherited from the domain context DC=net,DC=dom.) Second, the Admins group has received the permission to create, delete, and manage user accounts in the Staff OU. That right is defined at the OU level and not inherited. As a result, the Full Control, Create/Delete User Objects, and Create Computer Objects permissions have been added to the access control lists (ACL) of the domain container and the Staff OU. (In Fig. 8.5, you can see these permissions in the Permission entries pane — the first three lines.) You could add these permissions manually, but the wizard helps you to do this without error and frees you from having to know about all the details of Active Directory object inheritance and permissions.
Fig. 8.5: The result of using the Delegation of Control Wizard: the highlighted permission allows the Admins group to join computers to the domain and manage users in the Staff OU
If you want to revoke all administrative rights from the Admins group, you should perform the following steps:
To revoke control power over the Staff OU, delete the first two lines in the Permission entries pane.
In Windows .NET, you can click the Default button, and all permissions added for the selected directory object will be deleted. Be careful, since: 1) other users or groups might have administrative rights over the object, and you will delete all additional permissions; and, 2) the inherited permissions will be restored.
To delete the inherited permissions — the Create Computer Objects permission in our case — open the Security tab of that object where the permissions have been defined, and delete corresponding line(s) in the Permission entries pane.
On the other hand, you might want to allow the Admins group to perform some additional tasks (after the Delegation of Control Wizard has been executed once, or in any moment). Click Edit on the Permissions tab (see Fig. 8.5). The Permission Entry window will allow you to define permissions (or delegate/revoke administrative control, which is the same thing) on the selected object with greater granularity then the wizard allows. As you can see in Fig. 8.6, there are a number of operations whose execution by the selected user or group it is possible to allow/forbid.
Fig. 8.6: "Fine tuning" of permissions on the selected directory object