Delegating Control

Obviously, one of the simplest ways to minimize your administrative chores is to delegate them. In a Windows NT network, the usual way to grant broad administrative rights is to make users members of the Domain Admins group. Or you can parcel out administrative rights through some combination of other groups such as Print Operators or Server Operators.

These groups are still available, but Windows 2000 makes delegation even simpler: it allows you to assign responsibility for management of some portion of the namespace to another user or group. The recipient of the delegated authority can have complete administrative control within the area chosen but not the sweeping administrative rights inherent in being a member of the Domain Admins group.

Assign control by organizational unit (OU) whenever possible, because assigning permissions at the object level quickly becomes too complicated to be worthwhile. Records of security assignments are critical, so keep track of all delegations. To delegate control, use the Delegation of Control Wizard, which always assigns permissions at the OU level. (Detailed descriptions of permissions are provided in Chapter 9. For more on the planning and deployment of security policies, see Chapters 17 and 18.) To use the wizard, follow these steps:

1. Open Active Directory Users and Computers from the Administrative Tools menu.
2. Double-click the domain node, and then right-click the container whose control you want to delegate and choose Delegate Control from the shortcut menu. This starts the Delegation of Control Wizard. Click Next.
3. Click the Add button to select the user or group to be granted control. Make your selection from the Select Users, Computers, or Groups screen (Figure 10-14).



Figure 10-14. Selecting the recipients of delegated control.

4. In the Tasks to Delegate screen, select the tasks that you want to delegate. Select predefined tasks or click Create a Custom Task. Click Next.
5. If you selected a predefined task, you're essentially finished. Review the summary and click Finished.

If you selected Create a Custom Task, you're presented with more specific choices as to what objects you're delegating control on and the specific permissions to be granted. When those choices are made, you'll see a summary of the delegation. Click Finished.