This delegation model consists of Delegation Groups and Role Groups. These groups are explained in the following sections.
Delegation groups are named according to the permission that they grant. The permission that it grants can be, but is not limited to, AD permission to do a specific task.
Characteristics
Some examples of a built-in Delegation Group
Some examples of a custom Delegation Group
Role groups should be created based on a specific role that group of people fulfil.
These groups are used to add delegation permissions to via delegation groups.This is done by adding the Role group as a member of the delegation groups for the permissions required.
It is worth noting that this delegation is not limited to AD permissions.
If the Help Desk supports SharePoint environment, a delegation group with certain SharePoint rights can be created and assigned to the Help Desk role group. This way when a new Help Desk employee starts, it is only required to add a user account to the Help Desk Role group.
Characteristics
Some examples of a Role Group
Benefits
Real world example
Typically help desks will be given delegated permissions to reset passwords. Instead of delegating permissions to various individuals or directly to the help desk group, the following should be done:
By utilising this delegation process, all delegation done to role groups is easily visible from the Member Of tab. In the example below, it is easy to see that the role group for Help Desk, RG-HelpDesk, have join domain, modify group and reset password rights.
It also enables the reuse of delegation groups. In the example below, the same delegation group used for Help Desk, DG-JoinDomain, can be used to assign join domain rights to the Workstation Technician group.
The reverse is also true. It is quick to see which groups have a particular permission. In the example below, looking at the members of the DG-JoinDomain delegation group, it shows which role groups, RG-HelpDesk and RG-WorkstationTechnician in this case, have permissions to join computers to the domain.
Some extensions to Delegwiz.inf
[Version]
signature="$CHICAGO$"
[DelegationTemplates]
Templates = template1, template2, template3, template4, template5, template6, template7, template8, template9, template10, template11, template12, template13, template14, template15, template16, template17, template18, template19, template20, template21, template22, template23,template24, template25, template26, template27, template28, template29, template30, template31, template32, template33,template34, template35, template36, template37, template38, template39, template40, template41, template42, template43,template44, template45, template46, template47, template48, template49, template50, template51, template52, template53,template54, template55, template56, template57, template58, template59, template60, template61, template62, template63,template64, template65, template66, template67, template68, template69, template70
;---------------------------------------------------------
[template1]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Create, delete, and manage user accounts"
ObjectTypes = SCOPE, user
[template1.SCOPE]
user=CC,DC
[template1.user]
@=GA
;---------------------------------------------------------
;---------------------------------------------------------
[template2]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Reset user passwords and force password change at next logon"
ObjectTypes = user
[template2.user]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
;----------------------------------------------------------
;----------------------------------------------------------
[template3]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Read all user information"
ObjectTypes = user
[template3.user]
@=RP
;----------------------------------------------------------
[template4]
AppliesToClasses = organizationalUnit,container
Description = "Create, delete and manage groups"
ObjectTypes = SCOPE, group
[template4.SCOPE]
group=CC,DC
[template4.group]
@=GA
;----------------------------------------------------------
;----------------------------------------------------------
[template5]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify the membership of a group"
ObjectTypes = group
[template5.group]
member=RP,WP
;----------------------------------------------------------
;----------------------------------------------------------
[template6]
AppliesToClasses = domainDNS
Description = "Join a computer to the domain"
ObjectTypes = SCOPE
[template6.SCOPE]
computer=CC
;----------------------------------------------------------
;----------------------------------------------------------
[template7]
AppliesToClasses = domainDNS,organizationalUnit,site
Description = "Manage Group Policy links"
ObjectTypes = SCOPE
[template7.SCOPE]
gPLink=RP,WP
gPOptions=RP,WP
;----------------------------------------------------------
;---------------------------------------------------------
[template8]
AppliesToClasses=domainDNS,organizationalUnit
Description = "Generate Resultant Set of Policy (Planning)"
ObjectTypes = SCOPE
[template8.SCOPE]
CONTROLRIGHT= "Generate Resultant Set of Policy (Planning)"
;----------------------------------------------------------
;---------------------------------------------------------
[template9]
AppliesToClasses=domainDNS,organizationalUnit
Description = "Generate Resultant Set of Policy (Logging)"
ObjectTypes = SCOPE
[template9.SCOPE]
CONTROLRIGHT= "Generate Resultant Set of Policy (Logging)"
;----------------------------------------------------------
;---------------------------------------------------------
[template10]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Create, delete, and manage inetOrgPerson accounts"
ObjectTypes = SCOPE, inetOrgPerson
[template10.SCOPE]
inetOrgPerson=CC,DC
[template10.inetOrgPerson]
@=GA
;---------------------------------------------------------
;---------------------------------------------------------
[template11]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Reset inetOrgPerson passwords and force password change at next logon"
ObjectTypes = inetOrgPerson
[template11.inetOrgPerson]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
;----------------------------------------------------------
;----------------------------------------------------------
[template12]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Read all inetOrgPerson information"
ObjectTypes = inetOrgPerson
[template12.inetOrgPerson]
@=RP
;----------------------------------------------------------
;---------------------------------------------------------
[template13]
AppliesToClasses=container
Description = "Create, Delete, and Manage WMI Filters"
ObjectTypes = SCOPE, msWMI-Som
[template13.SCOPE]
msWMI-Som=CC,DC
[template13.msWMI-Som]
@=GA
;----------------------------------------------------------
;---------------------------------------------------------
[template14]
AppliesToClasses=domainDNS,organizationalUnit
Description = "Create an Organizational Unit"
ObjectTypes = SCOPE
[template14.SCOPE]
organizationalUnit=CC
;----------------------------------------------------------
;---------------------------------------------------------
[template15]
AppliesToClasses=domainDNS,organizationalUnit
Description = "Delete a child Organizational Unit"
ObjectTypes = SCOPE
[template15.SCOPE]
organizationalUnit=DC
;----------------------------------------------------------
;---------------------------------------------------------
[template16]
AppliesToClasses=organizationalUnit
Description = "Delete this Organizational Unit"
ObjectTypes = organizationalUnit
[template16.organizationalUnit]
@=SD
;----------------------------------------------------------
;---------------------------------------------------------
[template17]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Rename an Organizational Unit"
ObjectTypes = organizationalUnit
[template17.organizationalUnit]
ou=WP
name=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template18]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify Description of an Organizational Unit"
ObjectTypes = organizationalUnit
[template18.organizationalUnit]
description=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template19]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify Managed-By Information of an Organizational Unit"
ObjectTypes = organizationalUnit
[template19.organizationalUnit]
managedBy=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template20]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Delegate Control of an Organizational Unit"
ObjectTypes = organizationalUnit
[template20.organizationalUnit]
@=WD
;----------------------------------------------------------
;---------------------------------------------------------
[template21]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Create a group"
ObjectTypes = SCOPE
[template21.SCOPE]
group=CC
;----------------------------------------------------------
;---------------------------------------------------------
[template22]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Delete a child group"
ObjectTypes = SCOPE
[template22.SCOPE]
group=DC
;----------------------------------------------------------
;---------------------------------------------------------
[template23]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Delete this group"
ObjectTypes = group
[template23.group]
@=SD
;----------------------------------------------------------
;---------------------------------------------------------
[template24]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Rename a group"
ObjectTypes = group
[template24.group]
cn=WP
name=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template25]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify the Pre-Windows 2000 compatible name for the group"
ObjectTypes = group
[template25.group]
sAMAccountName=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template26]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify the description of a group"
ObjectTypes = group
[template26.group]
description=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template27]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify the scope of the group"
ObjectTypes = group
[template27.group]
groupType=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template28]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify the type of the group"
ObjectTypes = group
[template28.group]
groupType=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template29]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify notes for a group"
ObjectTypes = group
[template29.group]
info=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template30]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify group membership"
ObjectTypes = group
[template30.group]
member=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template31]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify Managed-By Information of a Group"
ObjectTypes = group
[template31.group]
managedBy=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template32]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Create a computer account"
ObjectTypes = SCOPE
[template32.SCOPE]
computer=CC
;----------------------------------------------------------
;---------------------------------------------------------
[template33]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Delete a child computer account"
ObjectTypes = SCOPE
[template33.SCOPE]
computer=DC
;----------------------------------------------------------
;---------------------------------------------------------
[template34]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Delete this computer account"
ObjectTypes = computer
[template34.computer]
@=SD
;----------------------------------------------------------
;---------------------------------------------------------
[template35]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Rename a computer account"
ObjectTypes = computer
[template35.computer]
@=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template36]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Disable a computer account"
ObjectTypes = computer
[template36.computer]
userAccountControl=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template37]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Reset a computer account"
ObjectTypes = computer
[template37.computer]
CONTROLRIGHT= "Reset Password"
;----------------------------------------------------------
;---------------------------------------------------------
[template38]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify the computer's description"
ObjectTypes = computer
[template38.computer]
description=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template39]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify Managed-By information for a computer account"
ObjectTypes = computer
[template39.computer]
managedBy=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template40]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify that a computer account be trusted for delegation"
ObjectTypes = computer
[template40.computer]
userAccountControl=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template41]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Create a user account in disabled state"
ObjectTypes = SCOPE
[template41.SCOPE]
user=CC
;----------------------------------------------------------
;---------------------------------------------------------
[template42]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Create a user account"
ObjectTypes = SCOPE , user
[template42.SCOPE]
user=CC
[template42.user]
userAccountControl=WP
CONTROLRIGHT= "Reset Password"
;----------------------------------------------------------
;---------------------------------------------------------
[template43]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Delete a child user account"
ObjectTypes = SCOPE
[template43.SCOPE]
user=DC
;----------------------------------------------------------
;---------------------------------------------------------
[template44]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Delete this user account"
ObjectTypes = user
[template44.user]
@=SD
;----------------------------------------------------------
;---------------------------------------------------------
[template45]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Rename a user account"
ObjectTypes = user
[template45.user]
cn=WP
name=WP
distinguishedName=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template46]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Disable a user account"
ObjectTypes = user
[template46.user]
userAccountControl=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template47]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Unlock a user account"
ObjectTypes = user
[template47.user]
lockoutTime=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template48]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Enable a disabled user account"
ObjectTypes = user
[template48.user]
userAccountControl=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template49]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Reset a user account's password"
ObjectTypes = user
[template49.user]
CONTROLRIGHT= "Change Password"
;----------------------------------------------------------
;---------------------------------------------------------
[template50]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Force a user account to change the password at the next logon"
ObjectTypes = user
[template50.user]
CONTROLRIGHT= "Reset Password"
userPassword=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template51]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify a user's display name"
ObjectTypes = user
[template51.user]
adminDisplayName=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template52]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify a user account's description"
ObjectTypes = user
[template52.user]
description=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template53]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify a user's office location"
ObjectTypes = user
[template53.user]
physicalDeliveryOfficeName=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template54]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify a user's telephone number"
ObjectTypes = user
[template54.user]
telephoneNumber=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template55]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify the location of a user's primary web page"
ObjectTypes = user
[template55.user]
wWWHomePage=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template56]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify a user's UPN"
ObjectTypes = user
[template56.user]
userPrincipalName=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template57]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify a user's Pre-Windows 2000 user logon name"
ObjectTypes = user
[template57.user]
sAMAccountName=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template58]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Modify the hours during which a user can log on"
ObjectTypes = user
[template58.user]
logonHours=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template59]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify the computers from which a user can log on"
ObjectTypes = user
[template59.user]
userWorkstations=WP
;----------------------------------------------------------
;---------------------------------------------------------
;[template60]
;AppliesToClasses=domainDNS,organizationalUnit,container
;Description = "Set User cannot change password for a user account"
;ObjectTypes = user
;[template60.user]
;CONTROLRIGHT= "Change Password"
;----------------------------------------------------------
;---------------------------------------------------------
[template61]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Set Password Never Expires for a user account"
ObjectTypes = user
[template61.user]
userAccountControl=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template62]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Set Store Password Using Reversible Encryption for a user account"
ObjectTypes = user
[template62.user]
userAccountControl=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template63]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Disable a user account"
ObjectTypes = user
[template63.user]
userAccountControl=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template64]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Set Smart card is required for interactive logon for a user account"
ObjectTypes = user
[template64.user]
userAccountControl=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template65]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Set Account is sensitive and cannot be delegated for a user account"
ObjectTypes = user
[template65.user]
userAccountControl=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template66]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Set Use DES encryption types for this account for a user account"
ObjectTypes = user
[template66.user]
userAccountControl=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template67]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Set Do not require Kerberos pre-authentication for a user account"
ObjectTypes = user
[template67.user]
userAccountControl=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template68]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify the date when a user account expires"
ObjectTypes = user
[template68.user]
accountExpires=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template69]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify a profile path for a user"
ObjectTypes = user
[template69.user]
profilePath=WP
;----------------------------------------------------------
;---------------------------------------------------------
[template70]
AppliesToClasses=domainDNS,organizationalUnit,container
Description = "Specify a logon script for a user"
ObjectTypes = user
[template70.user]
scriptPath=WP
;----------------------------------------------------------
Please do not forget to press the "Thumb's Up" button if this article was helpful and valuable for EE members.
It also provides me with positive feedback. Thank you!
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (7)
Author
Commented:o Join PC to the domain
o Create a user account
Custom task
o Reset user password (without having the rights to delete or manage user accounts).
Create a role group for your help desk and add it to the above delegation groups
Add helpdesk administrative accounts to the role group
Commented:
Another domain administrator told me he already delegated these rights, but he might have simply delegated them to the wrong group or Organizational Unit (OU).
How can I search all of Active Directory to see if any of these rights have already been applied somewhere?
Author
Commented:Commented:
Author
Commented:You need to put your workstations and servers in different OUs. You then delegate from the OU level
View More