Active Directory Permissions

Posted on 2004-11-09
Last Modified: 2010-03-18
Is there a way using AD to Grant a user the ability to create users in certain organizational units that we have setup but is not setup as a domain admin?  The domain is running on windows 2003 server.

Question by:serjosh
    LVL 57

    Accepted Solution

    As a network administrator, you can't possibly keep up with all your enterprise's IT tasks—you need to delegate administrative control to other members of your IT staff. Although you can simply turn loose a slew of administrators with instructions to deal with certain tasks, a better alternative is to use Windows 2000's Delegation of ControlWizard. This tool lets you precisely configure three important delegation aspects: the people to whom you want to give administrative powers, the objects over which you want them to have power, and the permissions these people need to perform their administrative tasks.

    Who, What, and How?
    Win2K lets you delegate administrative control of any Active Directory (AD) object, but the most common practice is to delegate control of an organizational unit (OU). You can give this control to a user or a group.

    I've found that a practical approach is to create a group of administrators, then delegate control of an OU to that group. By following this approach, you won't need to reconfigure delegation when a user with delegated powers changes responsibilities or leaves the company. More important, using groups keeps your AD database from growing too large, which could make replication and backup more onerous than they already are. For each user to whom you assign the right to administer an object, Win2K adds an access control entry (ACE) to the object's ACL. Child objects inherit their parent object's delegation properties, so Win2K adds an ACE to the ACL of each of the parent object's child objects. At a cost of almost 100 bytes each, these ACEs can quickly eat up valuable AD database space when you delegate control to multiple individual users. When you delegate control to a group, however, Win2K adds only one ACE—for the group—to the object's ACL. Thus, you can use a group to assign control to multiple users without adding a lot of ACE data to the AD database. You can also add users to the group without adding ACEs to the object's ACL.

    The Delegation of Control Wizard also lets you specify the scope of powers you give to your delegation groups. You might want to give a group the power to perform all tasks, or you might want to narrow the range of permitted tasks (e.g., give the group the power only to create New Computer objects). To give you an idea of how the wizard works, let's step through the process of delegating administrative control over an OU.

    Using the Wizard
    To launch the wizard, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Right-click the OU for which you want to delegate administration, then choose Delegate Control from the shortcut menu.

    In the wizard's welcome message, click Next to open the Users or Groups window, then click Add to see a list of users and groups to whom you can delegate control. Type or select the appropriate name or names, click OK, then click Next.

    In the Tasks to Delegate window, which Figure 1, page 100, shows, you can select one, some, or all of the listed tasks. Or you can choose the Create a custom task to delegate option, which lets you delegate complete administrative powers over specific objects in the OU. You can use this option to give your chosen group more power (being able to control objects completely is more powerful than being able to perform the listed tasks).

    When you select the custom task option, clicking Next opens the Active Directory Object Type window, which Figure 2, page 101, shows. This window presents options to give your selected group total administrative control over every object in the folder (i.e., OU) or over only selected objects. You want to pass a good chunk of your workload to the administrators you've placed in the group, so I suggest that you delegate control of all the objects in the OU.

    The custom task option also provides the opportunity to set permissions on the objects you select for delegation. You can select Full Control to give the group sufficient power to manage the folder, or you can grant permissions on an object-by-object or permission-by-permission basis. I suggest that you select Full Control. Otherwise, you'll end up performing the tasks that you omitted from your administrators' delegated powers.

    The final wizard window summarizes your configuration. Click Finish, or click Back to change the configuration.

    Keep track of the OUs for which you've delegated administrative powers. You can't tell simply by looking at an object in an MMC console that you've delegated control of the object. (Note to Microsoft: An additional icon indicating that delegation is in effect would be helpful.) The only way to gather this information is to open the object's Properties dialog box, go to the Security tab, and determine whether the group or user to whom you've delegated power is in the list of names at the top of the tab.

    Domain Task Delegation
    What if you're uncomfortable delegating power over an entire OU, or what if your enterprise isn't large enough to warrant forming OUs for the purpose of delegating tasks? You can delegate limited powers for a specific task to a group and apply that delegation to the entire domain.

    For example, user-password problems are common. Your company's Help desk personnel probably receive frequent calls from users whose passwords have expired and who don't know how to create new passwords, users who have forgotten their passwords, or users who have entered the wrong password too many times and locked themselves out of the domain. Because these types of problems are so common and seemingly unavoidable, consider delegating administration of user objects to a group consisting of Help desk personnel. This group can then solve common problems (e.g., unlocking a locked-out user) without needing to call somebody who has the appropriate administrative rights (e.g., you). Simply create a group that contains your chosen Help desk folks, then open the Active Directory Users and Computers console and right-click the domain object. Choose Delegate Control from the shortcut menu and walk through the wizard. Select your Help desk group as the group to whom you want to delegate powers, then create a custom task. Delegate control of User objects and give the group Full Control permissions.

    Removing or Changing Delegation
    The time might come when you want to remove or modify a group or user's delegated authority. Unfortunately, you can't use the wizard for these tasks. Fortunately, however, performing the tasks manually isn't difficult. Open the Active Directory Users and Computers console and right-click the object over which you'd previously delegated authority. Open the object's Properties dialog box and move to the Security tab. To remove a group or user's delegated powers, simply delete the appropriate group or user from the list. To modify the delegated powers, click Advanced, then select the group or user to whom you delegated authority. Click View/Edit to see the current permissions, then modify the permissions as necessary.

    For more information about the Delegation of Control Wizard and delegation in general, see Darren Mar-Elia, "Ups and Downs of AD Delegation," December 2000 and Paula Sharick, "The Active Directory Delegation of Control Wizard," September 2000.

    Author Comment

    That was where i needed to go thanks.

    LVL 57

    Expert Comment

    by:Pete Long
    :) ThanQ

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
    This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now