Active directory domain service delegation
Delegation is especially important when a decentralized administrative model is developed. Delegation of administration is the process of decentralizing the responsibility for managing organizational units from a central administrator to other administrators. The ability to establish access to individual organizational units is an important security feature in Active Directory. Users can control access to the lowest level of an organization without having to create many active directory domains.
Common administrative tasks
Administrators routinely perform the following tasks in active directory:
- Change properties on a particular container. For example, when a new software package is available, administrators may create a group policy that controls software distribution.
- Create and Delete objects of a specific type. In an organizational unit, specific types may include users, groups, and printers. When the new employee joins the organization, for example, a user account is created for the employee and then the employee is added to the appropriate organizational unit or group.
- Update specific properties on specific object types. In an organizational unit, this is perhaps the most common administrative task performed. Updating properties include tasks such as resetting passwords and changing an employee’s personal information, such as his/her home address and phone number,when he/she moves.
To delegate common administrative tasks for an organizational unit, perform the following steps:
- Open Active Directory Users and Computers.
- In the console tree, double click the domain node.
- In the details menu, right click the organizational unit, click delegate control, and click next.
Select the users or group to which common administrative tasks will be delegated. To do so, perform the following steps:
- On the user’s or group page click add.
- In the select Users, computers, or Groups, write the names of the users and groups to which control of the organizational unit has to be delegated, click OK and next.
Assign common tasks to delegate. To do so, perform the following common tasks:
- On the tasks to delegate page, click delegate the following common tasks.
- On the tasks to delegate page, select the tasks to be delegated and click OK.
- Click Finish.
Customizing Delegated Administrative Control
To delegate custom administrative tasks for an organizational unit, perform the following steps:
- Start the Delegation of Control Wizard.
- Select the users or groups to which administrative tasks will be delegated.
Assign the custom tasks to delegate. To do this, perform the following steps:
- On the Tasks to Delegate page, click Create a custom task to delegate and click next.
- On the Active Directory Object Type page, select one of the following tasks:
- Click This folder, existing objects in this folder, creation of new objects in this folder, and click next.
- Click Only the following objects in the folder, select the Active Directory object type that will delegate control, and click next.Click Finish.
- Select the permissions to be delegated and click next.
- Click finish.