Delegating administration within Active Directory enables you to assign various levels of access and control to groups and users. Windows Server 2003 gives you the flexibility to grant control of a very focused access that might span the entire enterprise, or to grant entire control over a very limited scope of the directory. Delegating control also makes your network more secure by limiting the membership of the top level domain and enterprise administrator groups. Delegation Through Organizational UnitsYou can delegate control to any level of the domain tree by creating Organizational Units (OUs) and then delegating control of particular OUs to the groups or users that you have chosen . To determine what OUs to create, consider the structure of your organization. For example, you might want to grant administrative control of all users and computers that are associated with a particular department, like Sales, to a particular group or individual. The best way to accomplish this is to create an OU for Sales, place all Sales users and computers in that OU, and then delegate control of the Sales OU to your chosen Sales department admin or administrative group . You can delegate administration of your Sales department with more granularity by nesting OUs. For example you could delegate control of computer accounts to one group, and delegate control of user accounts to another group by creating nested OUs under the Sales OU as shown in Figure 4.1. Figure 4.1. Nesting OUs for granular delegation.
It Is Important to Keep in Mind... that although you have the capability to create multiple OUs in your directory, it might not be advisable to do so. You should only add an OU to a domain if a group needs special administrative control to a set Active Directory objects. Group Policies are covered in detail in Chapter 6, "Implementing Group Policies." Delegating Simple Administrative TasksThe Delegation of Control Wizard, as its name implies, enables you to delegate administrative control by using a wizard that guides you through the setup process. You can set varying levels of control using the wizard, even limiting the scope of the delegated control to a single operation. For example, you might want to give a group the capability to do nothing more than reset passwords on user accounts in a particular OU. The process by which the wizard is used to accomplish this delegation is as follows :
Delegating Custom TasksIn addition to enabling you to delegate common tasks like resetting user account passwords, the Delegation of Control Wizard provides an enormous variety of custom tasks for delegation. For example, you might want to grant the permission to create and remove computer accounts from a specific OU to a particular group. To perform this delegation, follow these steps to set the custom task:
The Ability to Delegate Tasks with This Level of Granularity Can Be Useful The ability to delegate tasks with this level of granularity can be useful in an automated desktop deployment scenario where adding the new desktop computer accounts to the domain is a scripted function following an automated image process. The script can leverage a user account that has the previous example's delegated permission, but with no other functional administrative access.
If you need to see the permissions granted at a specific OU level, do the following:
|