This section demonstrates a task that many large organizations perform—delegating complete control of an OU to another group of administrators, thereby partitioning control of the directory namespace.
Delegating Control of an Organizational Unit
To delegate control of an OU
1. | open Active Directory Users and Computers. Your structure should resemble Figure 1  |
2. | In the left pane, right-click Divisions OU, and then click Delegate control. The Delegation of Control wizard appears. |
3. | On the Welcome page, click Next. |
4. | On the Users or Groups page, click Add, click Advanced, and then click Find Now. Scroll to AUAdmins, double-click AUAdmins, and then click OK. Click Next to continue. |
5. | On the Tasks to Delegate page, click Create a custom task to delegate. (This allows you to delegate control of the entire container.) Click Next. |
6. | On the Active Directory Object Type page, click This folder, existing objects in this folder, and the creation of new objects in this folder (default), and then click Next. |
7. | On the Permissions page, click Full Control to delegate complete control. Click Next, and then click Finish. |
Verifying the Permissions Granted
You can review the access control settings for the AUAdmins group to verify that permissions have been set appropriately.
To verify the permissions granted
1. | In the Active Directory Users and Computers snap-in, on the View menu, click Advanced Features. |
2. | Navigate to and right-click Autonomous Unit under the Divisions OU, and then click Properties. |
3. | On the Security tab, click Advanced. On the Permissions tab, note the permission entries that apply to AUAdmins as shown in Figure 2.  Figure 2. Verifying Permissions for AUAdmins |
4. | Double-click AUAdmins. Full control has been granted for the OU and all its sub-objects indicating that permissions were granted correctly. |
5. | Close all windows. |
Delegating Creation and Deletion of Users
The following steps demonstrate the delegation of specific tasks to an authoritative security group. In this example, the HRTeam—members of the Human Resources Department—need permissions for the creation or deletion of user accounts to facilitate employment operations. This type of delegation represents a secondary level of delegation in that control is assigned on a subset of rights for a specific container. In the previous example, all rights for a specific container were assigned.
To delegate control of specific tasks to the HRTeam
1. | In the Active Directory Users and Computers snap-in, click the Divisions OU. |
2. | Right-click Divisions, and then click Delegate control. The Delegation of Control wizard appears. Click Next. |
3. | On the Users or Groups page, click Add, click Advanced, and then click Find Now. Scroll to HRTeam, double-click HRTeam, and then click OK. Click Next to continue. |
4. | On the Tasks to Delegate page, under Delegate the following common tasks, click Create, delete, and manage user accounts—the first option—as shown in Figure 3. Click Next to continue. Figure 3. Delegating Specific Tasks  |
5. | On the summary page, review the proposed settings, and then click Finish. |
Verifying the Permissions Granted
To verify the permissions granted
1. | In the Active Directory Users and Computers snap-in, right-click Divisions, and then click Properties. |
2. | On the Security tab, click Advanced. As shown in Figure 4, permissions that apply to user objects are detailed, including appropriate permissions for the HRTeam. Figure 4. Verifying the Permissions Granted |
3. | Double-click the second HRTeam entry (Create/Delete User Objects) and note that the Create User objects and Delete User objects rights have been successfully assigned. Note that these permissions Apply onto this object (Divisions OU) and all child objects. Close all windows. |
Delegating Resetting of Passwords for All Users
Expanding the previous example of delegating control for specific tasks, this section details a common IT support operation—resetting passwords. As password resets are one of the most frequent IT support requests, delegating control to a lower tier of IT support can streamline IT operations.
To delegate control of password resets to the HelpDesk group
1. | In the Active Directory Users and Computers snap-in, click the Divisions OU. |
2. | Right-click Divisions, and then click Delegate control. The Delegation of Control wizard appears. Click Next. |
3. | On the Users or Groups page, click Add, click Advanced, and then click Find Now. Scroll to HelpDesk, double-click HelpDesk, and then click OK. Click Next to continue. |
4. | On the Tasks to Delegate page, under Delegate the following common tasks, click Reset user passwords and force password change at next logon as shown in Figure 5. Click Next to continue. Figure 5. Delegating Specific Tasks |
5. | On the summary page, review the proposed settings, and then click Finish. |
Delegating Control of Custom Tasks
The previous examples detailed varying levels of delegating control on specific Active Directory containers. For the delegation of specific tasks, predefined options were selected for delegation. The Delegation of Control Wizard provides an additional level of granularity allowing for custom-built tasks to be assigned to specific users or groups. In the following section, the HRTeam will be assigned permissions to modify specific user attributes to facilitate general employment operations.
To assign control for creating and deleting a user’s personal information in Active Directory to the HRTeam
1. | In the left pane, right-click Divisions OU, and then click Delegate control. The Delegation of Control wizard appears. Click Next. |
2. | On the Users or Groups page, click Add, click Advanced, and then click Find Now. Scroll to HRTeam, double-click HRTeam, and then click OK. Click Next to continue. |
3. | On the Tasks to Delegate page, click Create a custom task to delegate. (This allows you to delegate control of the entire container.) Click Next. |
4. | On the Active Directory Object Type screen, click Only the following objects in the folder. |
5. | Scroll down to the final entry and select the User Objects check box. At the bottom of the Active Directory Object Type screen, select both Create / Delete selected objects in this folder check boxes. Review your settings as shown in Figure 6, and then click Next to continue. Figure 6. Creating a Custom Delegation  |
6. | On the Permission page, ensure that General is selected (default). Scroll down and select the Read and write personal information check box as shown in Figure 7. Note: Selecting the property-specific check box will provide an additional level of detail at the attribute level. For example, if you only wanted the HRTeam to be able to change a user’s street address, you would select that particular attribute. Figure 7. Creating a Custom Delegation, Assigning Specific Rights  |
7. | Click Next to continue. |
8. | On the summary page, review the proposed settings, and then click Finish. |
nice post
ReplyDeleteWizard Control for navigation
ReplyDelete