Using OUs to Delegate Administration


As previously mentioned, one of the most important reasons for creating an OU structure in Active Directory is for the purpose of delegating administration to a separate administrator or administrative group. Whereas in NT 4.0 separate domains were necessary for this type of functionality, Active Directory allows for this level of administrative granularity in a single domain. This concept is further illustrated in this section.

Essentially, the role of the NT resource domain has been replaced by the concept of the organizational unit. A group of users can be easily granted specific levels of administrative access to a subset of users. For example, a remote IT group can be granted standard user creation/deletion/password-change privileges to its own OU. The process of delegating this type of access is quite simple and involves the following steps:

1.

In Active Directory Users and Computers, right-click the OU where you want to delegate permissions and choose Delegate Control.

2.

Click Next at the Welcome screen.

3.

Click Add to select the group you want to give access to.

4.

Type in the name of the group and click OK.

5.

Click Next to continue.

6.

Under Delegate the Following Common Tasks, choose the permissions you wantin the example shown in Figure 6.8, Create, Delete, and Manage User Accountsand then click Next.

Figure 6.8. Choosing delegation of common tasks.


7.

Click Finish to finalize the changes.

In fact, the Delegation of Control Wizard allows for an extremely specific degree of administrative granularity. If desired, an administrator can delegate a group of users to be able to modify only phone numbers or similar functionality for users in a specific OU. Custom tasks can be created and enabled on OUs to accomplish this and many other administrative tasks. For the most part, a very large percentage of all the types of administration that could possibly be required for delegation can work in this way. To use the phone administration example, follow these steps to set up custom delegation:

1.

In Active Directory Users and Computers, right-click the OU where you want to delegate permissions and choose Delegate Control.

2.

Click Next at the Welcome screen.

3.

Click Add to select the group to which you want to give access.

4.

Type in the name of the group and click OK.

5.

Click Next to continue.

6.

Select Create a Custom Task to Delegate and click Next.

7.

Under Delegate Control Of, choose Only the Following Objects in the Folder.

8.

Check Users Objects and click Next.

9.

Uncheck the Property-Specific check box.

10.

Under Permissions, check Read and Write Phone and Mail Options, as shown in Figure 6.9, and click Next.

Figure 6.9. Selecting delegate permissions.


11.

Click Finish to finalize the changes.

The possible variations are enormous, but the concept is sound. Active Directory's capability to delegate administrative functionality to this degree of granularity is one of the major advantages inherent in Windows Server 2003.




Microsoft Windows Server 2003 Unleashed(c) R2 Edition
Microsoft Windows Server 2003 Unleashed (R2 Edition)
ISBN: 0672328984
EAN: 2147483647
Year: 2006
Pages: 499

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net