Solved

Active Directory Delegation

Posted on 2008-10-01
10
309 Views
Last Modified: 2010-03-17
I went to ADUC and the delegation of control wizard to delgate the authority to perform ceertain tasks.  The problem i have how do I tell whom I've delegated control and how to remove it?  I don't se the user I just delegated control to liste din the wizard the next time i launch it?
0
Comment
Question by:georgedschneider
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22615993

Hey,

You'd have to look at the security tab I'm afraid.

All the delegation wizard does is provide you with a friendly face for setting the security on a container / OU / object.

Chris
0
 

Author Comment

by:georgedschneider
ID: 22616025
How do I remove the rights I just added through the security tab?
0
 
LVL 70

Expert Comment

by:KCTS
ID: 22616092
You need to edit the security settings on the security tab in the same was as you would permissions on a file or folder.

BTW its best practice only to delegate to groups - even if that group contains only one person initially. That way if you want to revoke permissions you just remove the user from the group - or you can add users to the group to grant them the permissions.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 71

Expert Comment

by:Chris Dent
ID: 22616102

If they're not clear under the main security box you'll have to head into Advanced and pick them out of the list again. Depending on what you set it might not really be very hard, for instance, if you applied something to only user accounts watch out for the object type under the "Applies to" column.

Chris
0
 

Author Comment

by:georgedschneider
ID: 22617989
can I use a tool such dsacls to do this?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22618009

Sure, it's just less clear than the GUI :) But if you're happy with it you should be fine modifying the ACLs.

Chris
0
 

Author Comment

by:georgedschneider
ID: 22618237
The problem I'm having is lookng at the security tab I'm having a hard time telling what rights are the delegated authorities I've granted.  How can I determine what are the delegated authorities verses noraml security rights granted to the object.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 22618427

You can't, there's no such difference. As I said above, all the delegation wizard does is dress up the security modification in a friendly form to allow these to be set without having to dig into the underlying rights.

That said, you're likely to find that the permissions are moderately obvious because they'll be explicit at that level rather than implicit because of inheritance.

Which of the permissions are "Not inherited"?

Chris
0
 

Author Comment

by:georgedschneider
ID: 22665597
Would the best way to ctrate a temp account check its rights and then deletgate authority and see what has chnaged?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22667185

I normally delegate permissions to a group, but in effect that's the same thing and your approach would certainly work well to see the impact of the change.

Chris
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question