Using the Delegation of Control Wizard in Active-Directory

  This section demonstrates a task that many large organizations perform—delegating complete control of an OU to another group of administrators, thereby partitioning control of the directory namespace.

Delegating Control of an Organizational Unit

 

To delegate control of an OU

1.	open Active Directory Users and Computers. Your structure should resemble Figure 1 Figure 1.  The Active Directory Structure
2.	In the left pane, right-click Divisions OU, and then click Delegate control. The Delegation of Control wizard appears.
3.	On the Welcome page, click Next.
4.	On the Users or Groups page, click Add, click Advanced, and then click Find Now. Scroll to AUAdmins, double-click AUAdmins, and then click OK. Click Next to continue.
5.	On the Tasks to Delegate page, click Create a custom task to delegate. (This allows you to delegate control of the entire container.) Click Next.
6.	On the Active Directory Object Type page, click This folder, existing objects in this folder, and the creation of new objects in this folder (default), and then click Next.
7.	On the Permissions page, click Full Control to delegate complete control. Click Next, and then click Finish.

 

Verifying the Permissions Granted

 

You can review the access control settings for the AUAdmins group to verify that permissions have been set appropriately.

To verify the permissions granted

1.	In the Active Directory Users and Computers snap-in, on the View menu, click Advanced Features.
2.	Navigate to and right-click Autonomous Unit under the Divisions OU, and then click Properties.
3.	On the Security tab, click Advanced. On the Permissions tab, note the permission entries that apply to AUAdmins as shown in Figure 2. Figure 2.  Verifying Permissions for AUAdmins
4.	Double-click AUAdmins. Full control has been granted for the OU and all its sub-objects indicating that permissions were granted correctly.
5.	Close all windows.

Delegating Creation and Deletion of Users

 

The following steps demonstrate the delegation of specific tasks to an authoritative security group. In this example, the HRTeam—members of the Human Resources Department—need permissions for the creation or deletion of user accounts to facilitate employment operations. This type of delegation represents a secondary level of delegation in that control is assigned on a subset of rights for a specific container. In the previous example, all rights for a specific container were assigned.





To delegate control of specific tasks to the HRTeam

1.	In the Active Directory Users and Computers snap-in, click the Divisions OU.
2.	Right-click Divisions, and then click Delegate control. The Delegation of Control wizard appears. Click Next.
3.	On the Users or Groups page, click Add, click Advanced, and then click Find Now. Scroll to HRTeam, double-click HRTeam, and then click OK. Click Next to continue.
4.	On the Tasks to Delegate page, under Delegate the following common tasks, click Create, delete, and manage user accounts—the first option—as shown in Figure 3. Click Next to continue. Figure 3.  Delegating Specific Tasks
5.	On the summary page, review the proposed settings, and then click Finish.

 

 

 

 

 

Verifying the Permissions Granted

 

To verify the permissions granted

1.	In the Active Directory Users and Computers snap-in, right-click Divisions, and then click Properties.
2.	On the Security tab, click Advanced. As shown in Figure 4, permissions that apply to user objects are detailed, including appropriate permissions for the HRTeam. Figure 4.  Verifying the Permissions Granted
3.	Double-click the second HRTeam entry (Create/Delete User Objects) and note that the Create User objects and Delete User objects rights have been successfully assigned. Note that these permissions Apply onto this object (Divisions OU) and all child objects. Close all windows.

 

 

 

 

 

Delegating Resetting of Passwords for All Users

 

Expanding the previous example of delegating control for specific tasks, this section details a common IT support operation—resetting passwords. As password resets are one of the most frequent IT support requests, delegating control to a lower tier of IT support can streamline IT operations.

To delegate control of password resets to the HelpDesk group

1.	In the Active Directory Users and Computers snap-in, click the Divisions OU.
2.	Right-click Divisions, and then click Delegate control. The Delegation of Control wizard appears. Click Next.
3.	On the Users or Groups page, click Add, click Advanced, and then click Find Now. Scroll to HelpDesk, double-click HelpDesk, and then click OK. Click Next to continue.
4.	On the Tasks to Delegate page, under Delegate the following common tasks, click Reset user passwords and force password change at next logon as shown in Figure 5. Click Next to continue. Figure 5.  Delegating Specific Tasks
5.	On the summary page, review the proposed settings, and then click Finish.

Delegating Control of Custom Tasks

 

The previous examples detailed varying levels of delegating control on specific Active Directory containers. For the delegation of specific tasks, predefined options were selected for delegation. The Delegation of Control Wizard provides an additional level of granularity allowing for custom-built tasks to be assigned to specific users or groups. In the following section, the HRTeam will be assigned permissions to modify specific user attributes to facilitate general employment operations.

To assign control for creating and deleting a user’s personal information in Active Directory to the HRTeam

1.	In the left pane, right-click Divisions OU, and then click Delegate control. The Delegation of Control wizard appears. Click Next.
2.	On the Users or Groups page, click Add, click Advanced, and then click Find Now. Scroll to HRTeam, double-click HRTeam, and then click OK. Click Next to continue.
3.	On the Tasks to Delegate page, click Create a custom task to delegate. (This allows you to delegate control of the entire container.) Click Next.
4.	On the Active Directory Object Type screen, click Only the following objects in the folder.
5.	Scroll down to the final entry and select the User Objects check box. At the bottom of the Active Directory Object Type screen, select both Create / Delete selected objects in this folder check boxes. Review your settings as shown in Figure 6, and then click Next to continue. Figure 6.  Creating a Custom Delegation
6.	On the Permission page, ensure that General is selected (default). Scroll down and select the Read and write personal information check box as shown in Figure 7. Note:  Selecting the property-specific check box will provide an additional level of detail at the attribute level. For example, if you only wanted the HRTeam to be able to change a user’s street address, you would select that particular attribute. Figure 7.  Creating a Custom Delegation, Assigning Specific Rights
7.	Click Next to continue.
8.	On the summary page, review the proposed settings, and then click Finish.

To add a new schema class or attribute definition

To add a new schema class or attribute definition

1.	Open the Active Directory Schema snap-in.
2.	In the console tree, click Active Directory Schema.
	Do one of the following: To add a class definition, in the console tree, right-click Classes, click Create Class, and then follow the instructions. To add an attribute definition, in the console tree, right-click Attributes, click Create Attribute, and then follow the instructions

Notes

To perform this procedure, you must be a member of the Schema Admins group in Active Directory, or you must have been delegated the appropriate authority

The Active Directory Schema snap-in must be connected to the schema master to perform this procedure

To install the Active Directory Schema snap-in

 

1.	Open Command Prompt.
2.	Type: regsvr32schmmgmt.dll This command will register schmmgmt.dll on your computer. For more information about using regsvr32, see Related Topics.
3.	Click Start, click Run, type mmc /a, and then click OK.
4.	On the File menu, click Add/Remove Snap-in, and then click Add.
5.	Under Available Standalone Snap-ins, double-click Active Directory Schema, click Close, and then click OK.
6.	To save this console, on the File menu, click Save.
7.	In Save in, point to the systemroot\system32 directory.
8.	In File name, type schmmgmt.msc, and then click Save.
9.	To create a shortcut on your Start menu: • Right-click Start, click Open All Users, double-click the programs folder, and then double-click the Administrative Tools folder. • On the File menu, point to New, and then click Shortcut. • In the Create Shortcut Wizard, in Type the location of the item, type schmmgmt.msc, and then click Next. • On the Select a Title for the program page, in Type a name for this shortcut, type Active Directory Schema, and then click Finish.

Managing the Active Directory schema from MMC

 

The Active Directory Schema snap-in is a Microsoft Management Console (MMC) administrative tool for managing the schema. The Active Directory Schema snap-in can only be used from a computer with access to a domain. The Active Directory Schema snap-in is not available by default on the Administrative Tools menu, and must be added manually

 

Verify Active Directory functionality before you apply the schema extension

 

Verify Active Directory functionality before you update the schema to help ensure that the schema extension proceeds without error. At a minimum, ensure that all domain controllers for the forest are online and performing inbound replication.

To verify Active Directory functionality before you apply the schema extension

1. Log on to an administrative workstation that has the Windows Support Tool Repadmin.exe installed. Note: The Support Tools are located on the operating system installation media in the Support\Tools folder. 2. Open a command prompt, and then change directories to the folder in which the Windows Support Tools are installed. 3. At a command prompt, type the following, and then press ENTER: repadmin /replsum /bysrc /bydest /sort:delta All domain controllers should show 0 in the Fails column, and the largest deltas (which indicate the number of changes that have been made to the Active Directory database since the last successful replication) should be less than or roughly equal to the replication frequency of the site link that is used by the domain controller for replication. The default replication frequency is 180 minutes.

For more information about additional steps that you can take to verify Active Directory functionality before you apply the schema extension.

Apply the schema extension

 

Use the following procedure to apply the Windows Server 2003 R2 schema extension to the Active Directory schema.

To apply the Windows Server 2003 R2 schema extension to the Active Directory schema

1. Log on to the computer that holds the schema master operations role as a member of the Schema Admins group and the Enterprise Admins group. If you are not sure which computer holds the schema master operations role, type the following at a command prompt, and then press ENTER: Netdom query FSMO Note: The built-in Administrator account in the forest root domain is a member of the Schema Admins group by default. 2. Verify that the schema operations master has performed inbound replication of the schema directory partition. Type the following at a command prompt, and then press ENTER: repadmin showreps 3. Be sure that you are planning to run Adprep from a 32-bit version of Windows Server 2003 R2 if your schema master is currently running a 32-bit version of Windows Server. Run Adprep from a 64-bit version of Windows Server 2003 R2 if your schema master is currently running a 64-bit version of Windows Server. If you do not have the required version of Adprep. To determine the version of Windows operating system that is running on the schema master, type the following at a command prompt, and then press ENTER: winver 4. Change directories to the location that contains the appropriate Adprep version. Type the following command at the command prompt, and then press ENTER: cd cmpnents\R2\ADPREP adprep /forestprep

Verify the schema extension

 

After you run Adprep, you can use the Windows Support tool ADSI Edit to verify the schema extension.

To verify the schema extension

1. Log on to an administrative workstation that has ADSI Edit installed. 2. Click Start, click Run, type adsiedit.msc, and then click OK. 3. Double-click Configuration Container, and then double-click CN=Configuration,DC=forest_root_domain where forest_root_domain is the fully qualified domain name (FQDN) of your forest root domain. 4. Double-click CN=ForestUpdates. 5. Right-click CN=Windows2003Update, and then click Properties. 6. Verify that the Revision attribute value is 9. 7. Double-click Schema. 8. Right-click CN=Schema,CN=Configuration,DC=forest_root_domain where forest_root_domain is the FQDN of your forest root domain. 9. Click Properties. 10. On the Attributes tab, for Select a property to view, select objectVersion. 11. Verify that Value(s) equals 31.

To view a schema class or attribute definition

 

1.	Open the Active Directory Schema snap-in.
2.	In the console tree, click Active Directory Schema.
3.	Do one of the following: • To view a class definition, in the console tree, click Classes. In the details pane, right-click the class for which you want to view the definition, and then click Properties. • To view an attribute definition, in the console tree, click Attributes. In the details pane, right-click the attribute for which you want to view the definition, and then click Properties.

Active Directory Application Mode

 Active Directory Application Mode (ADAM) is a new mode of the Active Directory directory service that is designed to meet the specific needs of organizations that use directory-enabled applications. While Active Directory supports directory-enabled applications, as well as the server operating system, some directory-enabled applications have requirements that Active Directory does not meet. For example, some directory-enabled applications require schema changes that administrators may not want to make to Active Directory.

In addition, organizations may want to:

•	Support directory-enabled applications but not implement Active Directory domains and forests.
•	Support directory-enabled applications outside their existing domains and forests.
•	Use X.500 naming conventions for top-level directory partitions.
•	Run multiple directory service instances on a single server.

ADAM is designed to support these and other directory service scenarios. ADAM runs completely independently from Active Directory, and ADAM has its own schema. You can make changes to the ADAM schema with no impact to the Active Directory schema. ADAM does not require the presence of Active Directory domain controllers, domains, or forests. Therefore, organizations that have not implemented Active Directory can install and run ADAM. ADAM supports X.500 naming conventions for top-level directory partitions, and you can run multiple instances of ADAM on a single server.
ADAM runs on the following:

•	Domain controllers running operating systems in the Microsoft Windows Server 2003 family (Note that Microsoft Windows Server 2003, Web Edition cannot be a domain controller.)
•	Member servers running operating systems in the Windows Server 2003 family (except for Windows Server 2003, Web Edition)
•	Client computers running Microsoft Windows XP Professional

Lightweight Directory Access Protocol

Lightweight Directory Access Protocol

The Directory Service Protocol that is utilized by Active Directory is based on the Internet-standard Lightweight Directory Access Protocol defined by RFC-1777. LDAP allows queries and updates to take place in Active Directory. Objects in an LDAP-compliant directory must be uniquely identified by a naming path to the object. These naming paths take two forms: distinguished names and relative distinguished names.

Distinguished Names

The distinguished name of an object in Active Directory is represented by the entire naming path that the object occupies in Active Directory. For example, the user named Gene Bondoc can be represented by the following distinguished name:

The CN component of the distinguished name is the common name, which defines an object within the directory. The OU portion is the organizational unit in which the object belongs. The DC components define the DNS name of the Active Directory domain.

Relative Distinguished Names

The relative distinguished name of an object is basically a truncated distinguished name that defines the object's place within a set container. For example, take a look at the following object:

This object would have a relative distinguished name of OU=Marketing. The relative distinguished name in this case defines itself as an organizational unit within its current domain container.