Active Directory Permissions

Posted on 2004-11-09
Medium Priority
Last Modified: 2010-03-18
Is there a way using AD to Grant a user the ability to create users in certain organizational units that we have setup but is not setup as a domain admin?  The domain is running on windows 2003 server.

Question by:serjosh
  • 2
LVL 57

Accepted Solution

Pete Long earned 2000 total points
ID: 12537622
As a network administrator, you can't possibly keep up with all your enterprise's IT tasks—you need to delegate administrative control to other members of your IT staff. Although you can simply turn loose a slew of administrators with instructions to deal with certain tasks, a better alternative is to use Windows 2000's Delegation of ControlWizard. This tool lets you precisely configure three important delegation aspects: the people to whom you want to give administrative powers, the objects over which you want them to have power, and the permissions these people need to perform their administrative tasks.

Who, What, and How?
Win2K lets you delegate administrative control of any Active Directory (AD) object, but the most common practice is to delegate control of an organizational unit (OU). You can give this control to a user or a group.

I've found that a practical approach is to create a group of administrators, then delegate control of an OU to that group. By following this approach, you won't need to reconfigure delegation when a user with delegated powers changes responsibilities or leaves the company. More important, using groups keeps your AD database from growing too large, which could make replication and backup more onerous than they already are. For each user to whom you assign the right to administer an object, Win2K adds an access control entry (ACE) to the object's ACL. Child objects inherit their parent object's delegation properties, so Win2K adds an ACE to the ACL of each of the parent object's child objects. At a cost of almost 100 bytes each, these ACEs can quickly eat up valuable AD database space when you delegate control to multiple individual users. When you delegate control to a group, however, Win2K adds only one ACE—for the group—to the object's ACL. Thus, you can use a group to assign control to multiple users without adding a lot of ACE data to the AD database. You can also add users to the group without adding ACEs to the object's ACL.

The Delegation of Control Wizard also lets you specify the scope of powers you give to your delegation groups. You might want to give a group the power to perform all tasks, or you might want to narrow the range of permitted tasks (e.g., give the group the power only to create New Computer objects). To give you an idea of how the wizard works, let's step through the process of delegating administrative control over an OU.

Using the Wizard
To launch the wizard, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Right-click the OU for which you want to delegate administration, then choose Delegate Control from the shortcut menu.

In the wizard's welcome message, click Next to open the Users or Groups window, then click Add to see a list of users and groups to whom you can delegate control. Type or select the appropriate name or names, click OK, then click Next.

In the Tasks to Delegate window, which Figure 1, page 100, shows, you can select one, some, or all of the listed tasks. Or you can choose the Create a custom task to delegate option, which lets you delegate complete administrative powers over specific objects in the OU. You can use this option to give your chosen group more power (being able to control objects completely is more powerful than being able to perform the listed tasks).

When you select the custom task option, clicking Next opens the Active Directory Object Type window, which Figure 2, page 101, shows. This window presents options to give your selected group total administrative control over every object in the folder (i.e., OU) or over only selected objects. You want to pass a good chunk of your workload to the administrators you've placed in the group, so I suggest that you delegate control of all the objects in the OU.


The custom task option also provides the opportunity to set permissions on the objects you select for delegation. You can select Full Control to give the group sufficient power to manage the folder, or you can grant permissions on an object-by-object or permission-by-permission basis. I suggest that you select Full Control. Otherwise, you'll end up performing the tasks that you omitted from your administrators' delegated powers.

The final wizard window summarizes your configuration. Click Finish, or click Back to change the configuration.

Keep track of the OUs for which you've delegated administrative powers. You can't tell simply by looking at an object in an MMC console that you've delegated control of the object. (Note to Microsoft: An additional icon indicating that delegation is in effect would be helpful.) The only way to gather this information is to open the object's Properties dialog box, go to the Security tab, and determine whether the group or user to whom you've delegated power is in the list of names at the top of the tab.

Domain Task Delegation
What if you're uncomfortable delegating power over an entire OU, or what if your enterprise isn't large enough to warrant forming OUs for the purpose of delegating tasks? You can delegate limited powers for a specific task to a group and apply that delegation to the entire domain.

For example, user-password problems are common. Your company's Help desk personnel probably receive frequent calls from users whose passwords have expired and who don't know how to create new passwords, users who have forgotten their passwords, or users who have entered the wrong password too many times and locked themselves out of the domain. Because these types of problems are so common and seemingly unavoidable, consider delegating administration of user objects to a group consisting of Help desk personnel. This group can then solve common problems (e.g., unlocking a locked-out user) without needing to call somebody who has the appropriate administrative rights (e.g., you). Simply create a group that contains your chosen Help desk folks, then open the Active Directory Users and Computers console and right-click the domain object. Choose Delegate Control from the shortcut menu and walk through the wizard. Select your Help desk group as the group to whom you want to delegate powers, then create a custom task. Delegate control of User objects and give the group Full Control permissions.

Removing or Changing Delegation
The time might come when you want to remove or modify a group or user's delegated authority. Unfortunately, you can't use the wizard for these tasks. Fortunately, however, performing the tasks manually isn't difficult. Open the Active Directory Users and Computers console and right-click the object over which you'd previously delegated authority. Open the object's Properties dialog box and move to the Security tab. To remove a group or user's delegated powers, simply delete the appropriate group or user from the list. To modify the delegated powers, click Advanced, then select the group or user to whom you delegated authority. Click View/Edit to see the current permissions, then modify the permissions as necessary.

For more information about the Delegation of Control Wizard and delegation in general, see Darren Mar-Elia, "Ups and Downs of AD Delegation," December 2000 and Paula Sharick, "The Active Directory Delegation of Control Wizard," September 2000.


Author Comment

ID: 12544712
That was where i needed to go thanks.

LVL 57

Expert Comment

by:Pete Long
ID: 12547300
:) ThanQ

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question