Delegating Control of an OU

Inheritance and delegation are probably two of the most important features of Active Directory management. We already discussed how inheritance is used to allow the permissions set on a parent object to be automatically propagated to the child objects. This simplifies the administrative tasks of the directory because the network administrator does not have to manually assign permissions on each object.

Through the use of delegation, the network administrator can grant specific administrative rights for containers and objects to users or groups. This allows selected users to perform some of the management and administrative tasks that would normally be the responsibility of the network administrator. Properly used, this has the potential to lighten the administrator's workload and push specific administrative duties down the hierarchy closer to the end user, where they can usually be performed more efficiently.

For example, if you have a department that prefers to manage itself, either for security or political reasons, you can create an OU that contains all the users, computers, and resources for that department. Then you can assign full control for that OU to an administrators group that consists of the users who are the designated administrators of that department.

In Windows NT, the domain was the administrative and security boundary. Starting with the Windows 2000 versions of Active Directory, although the domain can be used in the same way, it is advantageous to use the OU in this role because OUs are easier to create, delete, move, and modify than domains are.

Windows Server 2003 allows the administrator to delegate the ability to create, delete, or modify objects at the container, OU, object, or property level. In most cases, it will be best to not assign administrative control at lower than the container or OU level.

Note: Containers?

If you look closely in the left pane of the Active Directory Users and Computers MMC, you will notice that all the folder icons are not the same. Some icons are plainthese are containers. The other icons have an open folder label on themthese are OUs. Most of the containers are automatically created by the operating system, and control of some of them cannot be delegated.

The Delegation of Control Wizard should be used to delegate administrative control of OUs and containers. The wizard allows you to select the OUs and objects to be controlled, the user or group to which you want to delegate control, and the permissions to access and modify objects. To grant permissions at the property level, you must manually configure the properties of the objects.

The Delegation of Control Wizard is available in the Active Directory Users and Computers snap-in. It will lead you step by step through the process of delegating control at the OU or container level.

To see how the wizard accomplishes these types of tasks, follow the procedure outlined in Step by Step 8.6 to delegate control of the Kansas City\Users OU to members of the Managers Group.

Step by Step

8.6 Using the Delegation of Control Wizard

1.	Select Start, Programs, Administrative Tools, and then select Active Directory Users and Computers.
2.	Select the desired domain, select the Kansas City OU, and then right-click the Users OU.
3.	From the pop-up menu, select Delegate Control. The Delegate Control Wizard starts.
4.	The Welcome to the Delegation of Control Wizard window appears. Click Next to continue.
5.	The Users or Groups window appears; click Add. The Select Users, Computers, or Groups window appears.

6.	Enter the Managers group. Click OK to continue. You are returned to the Users or Groups window, as shown in Figure 8.9. Click Next to continue. Figure 8.9. The Users or Groups dialog box, showing the selected group.
7.	The Tasks to Delegate window appears, as shown in Figure 8.10. This window displays tasks that will typically be delegated, such as creating and modifying user accounts or groups and resetting passwords. This is where you would configure access for a help desk group that would normally need to work with user accounts, reset passwords, and so on. Because we are delegating complete control over the OU, we will select the Create a Custom Task to Delegate option button. Click Next to continue. Figure 8.10. The Tasks to Delegate dialog box, showing some of the delegatable tasks.

8.	The Active Directory Object Type window appears (see Figure 8.11). This window allows you to specify individual object types to delegate control of. Because we are delegating control of the entire OU, we will select the This Folder, Existing Objects in This Folder, and Creation of New Objects in This Folder option button. Click Next to continue. Figure 8.11. Showing the object types that can be delegated.

9.	The Permissions dialog box appears, as shown in Figure 8.12. In this window, you can choose from three levels of permissions: General Property-specific Creation/Deletion of Specific Child Objects Figure 8.12. The Permissions dialog box; selecting General and Full Control automatically selects all the other options. Because we are delegating full control of the OU, we will select General, and then select the Full Control check box. Click Next to continue.

10.	The Summary window appears. Review the items to make sure they are correct. If not, click the Back button and make the necessary corrections, and then click Finish.

The proper use of delegation can also enhance network security. In Windows NT, few of the administrative tasks could be assigned to other users. Because of this, it was necessary to give more people user accounts with administrative access than it was probably wise to do. By being able to delegate specific tasks and control the level of access at a granular level, you can limit the number of accounts that are members of the Domain Admins group to a highly trusted few.

Exam Alert: Limitations of the Delegation of Control Wizard

The Delegation of Control Wizard can only apply permissions, not remove them. In addition, if you run the wizard multiple times, the permissions assigned are cumulative, and cannot be viewed using the wizard. To view and remove the permissions, you will have to view the Security tab for the object that you assigned permissions on using the wizard. Watch for Delegation of Control Wizard questions on the exam.

Step by Step

Figure 8.9. The Users or Groups dialog box, showing the selected group.

Figure 8.10. The Tasks to Delegate dialog box, showing some of the delegatable tasks.

Figure 8.11. Showing the object types that can be delegated.

Figure 8.12. The Permissions dialog box; selecting General and Full Control automatically selects all the other options.