Leveraging the Delegation of Control Wizard

Previous page
Table of content
Next page

Delegating administration within Active Directory enables you to assign various levels of access and control to groups and users. Windows Server 2003 gives you the flexibility to grant control of a very focused access that might span the entire enterprise, or to grant entire control over a very limited scope of the directory. Delegating control also makes your network more secure by limiting the membership of the top level domain and enterprise administrator groups.

Delegation Through Organizational Units

You can delegate control to any level of the domain tree by creating Organizational Units (OUs) and then delegating control of particular OUs to the groups or users that you have chosen . To determine what OUs to create, consider the structure of your organization.

For example, you might want to grant administrative control of all users and computers that are associated with a particular department, like Sales, to a particular group or individual. The best way to accomplish this is to create an OU for Sales, place all Sales users and computers in that OU, and then delegate control of the Sales OU to your chosen Sales department admin or administrative group .

You can delegate administration of your Sales department with more granularity by nesting OUs. For example you could delegate control of computer accounts to one group, and delegate control of user accounts to another group by creating nested OUs under the Sales OU as shown in Figure 4.1.

Figure 4.1. Nesting OUs for granular delegation.

graphics/04fig01.jpg

It Is Important to Keep in Mind...

that although you have the capability to create multiple OUs in your directory, it might not be advisable to do so. You should only add an OU to a domain if a group needs special administrative control to a set Active Directory objects. Group Policies are covered in detail in Chapter 6, "Implementing Group Policies."


Delegating Simple Administrative Tasks

The Delegation of Control Wizard, as its name implies, enables you to delegate administrative control by using a wizard that guides you through the setup process. You can set varying levels of control using the wizard, even limiting the scope of the delegated control to a single operation.

For example, you might want to give a group the capability to do nothing more than reset passwords on user accounts in a particular OU. The process by which the wizard is used to accomplish this delegation is as follows :

  1. In Active Directory Users and Computers, right-click the OU where you want to delegate permissions and choose Delegate Control.

  2. Click Next at the Delegation of Control Wizard Welcome screen.

  3. Click Add to select the group you want to grant access to.

  4. Type in the name of the group and click OK.

  5. Click Next to continue.

  6. Under Delegate the Following Common Tasks, choose the appropriate permission; for this example choose Reset User Passwords and Force Password Change at Next Logon (see Figure 4.2). Then click Next.

    Figure 4.2. Choosing delegation of common task.

    graphics/04fig02.gif

  7. Click Finish to finalize the changes.

Delegating Custom Tasks

In addition to enabling you to delegate common tasks like resetting user account passwords, the Delegation of Control Wizard provides an enormous variety of custom tasks for delegation. For example, you might want to grant the permission to create and remove computer accounts from a specific OU to a particular group. To perform this delegation, follow these steps to set the custom task:

  1. In Active Directory Users and Computers, right-click the OU where you want to delegate permissions and choose Delegate Control.

  2. Click Next at the Delegation of Control Wizard Welcome screen.

  3. Click Add to select the group to which you want to give access.

  4. Type in the name of the group and click OK.

  5. Click Next to continue.

  6. Select Create a Custom Task to Delegate and click Next.

  7. Under Delegate Control Of, choose only the Following Objects in the Folder.

  8. Check Computer Objects and then click Next.

  9. Under Permissions, check Create All Child Objects and Delete All Child Objects as shown in Figure 4.3. Click Next.

    Figure 4.3. Setting Permissions for Custom Tasks.

    graphics/04fig03.gif

  10. Click Finish to finalize the changes.

The Ability to Delegate Tasks with This Level of Granularity Can Be Useful

The ability to delegate tasks with this level of granularity can be useful in an automated desktop deployment scenario where adding the new desktop computer accounts to the domain is a scripted function following an automated image process. The script can leverage a user account that has the previous example's delegated permission, but with no other functional administrative access.


BEST PRACTICE: Delegation of Administration

Keep in mind that when you use the Delegation of Control Wizard that you are altering the default security configuration of your Active Directory. Improper use of the wizard can create security vulnerabilities that might compromise service-level agreements and business policies. To get the most out of administrative delegation in a secure fashion, follow these best practices:

  • Use the Delegation of Control Sparingly: Because you can allow permissions to inherit settings from parent containers, resist making duplicate delegations on child objects. A simpler administrative design is easier to manage.

  • Testing the Intended Scope: After you make a change through the Delegation of Control Wizard, test to make sure that the change has the intended scope. Log into the domain as a user of the group granted access and make sure that the user has the permission to perform the delegated function. Also test that the user cannot perform additional functions, or perform the delegated function outside the scope of the delegation.

  • Document Your Changes: Although the Delegation of Control Wizard is an easy tool to use to grant permissions, it does not generate reports on the changes you make. You should maintain a document that details what permissions have been granted to whom, and at what level.


If you need to see the permissions granted at a specific OU level, do the following:

  1. In Active Directory Users and Computers, right-click the OU for which you want to review permissions and choose Properties.

  2. Click on the Security tab and then click Advanced.

  3. Under Permission Entries, double-click the group or user to whom you granted permissions.

  4. You can view and edit the special permissions in the Permissions section, as shown in Figure 4.4.

    Figure 4.4. Viewing delegated permissions.

    graphics/04fig04.jpg


Previous page
Table of content
Next page
Microsoft Windows Server 2003 Insider Solutions
Microsoft Windows Server 2003 Insider Solutions
ISBN: 0672326094
EAN: 2147483647
Year: 2003
Pages: 325
Authors: Rand Morimoto, Andrew Abbate, Eric Kovach, Ed Roberts
BUY ON AMAZON
Strategies for Information Technology Governance
High-Speed Signal Propagation[c] Advanced Black Magic
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
Cultural Imperative: Global Trends in the 21st Century
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy