Previous Page Next Page

Understanding Delegation

Every action discussed so far related to the Active Directory requires that a user be a member of the Domain Admins or Enterprise Admins group. Otherwise, a user must be delegated the appropriate authority to make changes to the Active Directory, such as adding OUs or sites. So, what is delegation? It is the assignment of administrative responsibility to a user or group (it can also be assigned to a computer). Delegation can be handled using group memberships or Group Policy settings. The Delegation of Control Wizard also can be used to delegate the control of Active Directory objects such as OUs or sites.

To delegate the control of an organizational unit or site, follow these steps:

1. To start the Delegation of Control Wizard for an Active Directory OU or site, right-click the object and select Delegate Control. The Delegation of Control Wizard opens. Click Next to bypass the initial wizard screen.

2. On the next wizard screen, you are asked to select users or groups that will be delegated control for the object. Click the Add button. The Select Users, Computers, or Groups dialog box opens (see Figure 9.14).

Figure 9.14. Select the users that will be delegated control of the object.

3. Specify the object names in the Enter the Object Names to Select box (you can type key letters in an object name and then click Check Names to see a list of objects that begin with those characters).

4. After specifying the users or groups for delegation, click OK. Then click Next. The next wizard screen asks you to specify the tasks to be delegated (see Figure 9.15).

Figure 9.15. Group Policy links or custom tasks can be delegated.

[View full size image]

5. You can delegate common tasks, such as the capability to manage Group Policy links, or you can create custom tasks to delegate. Custom tasks enable you to manage objects in the container and specify control based on object permissions. Select Manage Group Policy links or Create a custom task to delegate. Then click Next. If you selected Manage Group Policy links, the wizard takes you to the final screen, where you can click Finish.

6. If you choose to create a custom task to delegate, the next screen provides you with the capability to delegate control of all the objects in the current object folder (such as an OU or site) or to specify objects from a list (such as only account objects or computer objects). After making your selection, click Next.

7. A permissions list is provided on the next screen, which enables you to specify the permissions that you want to delegate for the object. Select the permissions using the appropriate check boxes, and then click Next.

8. The wizard provides a summary screen; click Finish.

The task or tasks related to the object are now delegated to the user, users, or group listed when the delegation was created. Delegation can be used in situations where you have regional domains and sites and you want to allow some local control of group policies or other tasks related to an Active Directory object such as a site.

Previous Page Next Page

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.