Simple and complete guide to 'Delegate Control'

  • Thread starter Thread starter srp336
  • Start date Start date
S

srp336

I've been asked to look into options for delegating the task of adding
and deleting users to one of our domains. Is there a simple and
complete guide to using the 'Delegate Control' function to do this?

I have a copy of a Microsoft whitepaper and appendices. I'd really love
to be able to read this whole thing, but don't really have the time for
400+ page at the moment.

I've done some searching, but everything I've found is sort of brief.
It's all just step1: start the wizard, and step2: set permissions. I
need just a little more detail than that.

Here's what I've tried:

- I've run the wizard on one particular domain controller. I've
assigned "Create Users" and "Delete users" to my normal login id (which
happens to be in another domain). Is there any way to see that that
setting has been done, or to remove it?
- I've given myself permission to log into the domain controller under
my normal login id (which is what I'm assuming I must do...)
- I start mmc and add the Active Directory Users and Computers snapin
- When I open that, I see a lot more than Users that I have access to,
and it's my login id's domain, not the domain of the DC I just logged
in to.

Is 'Delegate Control' what most people use for this kind of thing, or a
third-party utility?

Thanks!
 
Hello,

answers inline

says...
I've been asked to look into options for delegating the task of adding
and deleting users to one of our domains. Is there a simple and
complete guide to using the 'Delegate Control' function to do this?

I have a copy of a Microsoft whitepaper and appendices. I'd really love
to be able to read this whole thing, but don't really have the time for
400+ page at the moment.
Click to expand...

It's really good. If you don't have time to read it now, start with the
beginning to understand the concepts, or just search for the stuff you want to
delegate.
I've done some searching, but everything I've found is sort of brief.
It's all just step1: start the wizard, and step2: set permissions. I
need just a little more detail than that.

Here's what I've tried:

- I've run the wizard on one particular domain controller. I've
assigned "Create Users" and "Delete users" to my normal login id (which
happens to be in another domain). Is there any way to see that that
setting has been done, or to remove it?
Click to expand...

Yes - click on the OU where you applied the permissions, make sure that
advanced view is selected in active directory users and computers, then go into
the properties of the OU and look at the security tab.

Delegating permissions is nothing else than security applied to objects in AD.
You can either use the delegation wizard, or you can do it directly in the
security tab. You are not able to delete them in the wizard, but you are able
to do those "advanced" tasks in the security tab.
- I've given myself permission to log into the domain controller under
my normal login id (which is what I'm assuming I must do...)
Click to expand...

nope - if you have delegated permissions you can change the objects with AD
Users and Computers from every Workstation where ADUC is installed.
- I start mmc and add the Active Directory Users and Computers snapin
OK

- When I open that, I see a lot more than Users that I have access to,
and it's my login id's domain, not the domain of the DC I just logged
in to.
Click to expand...

Right click the top node of Active Directory Users and Computers and select
"Connect to domain". And note that users usually have read access to about
everything.
Is 'Delegate Control' what most people use for this kind of thing, or a
third-party utility?
Click to expand...

Either the wizard, the security tab, or the command line tool dsacls.

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
 
Thank you very much... your response has been things a lot clearer.

If I want to delegate creating and deleting groups (only), what is the
least amount of privileges I need to assign?
 
You really should read the whole thing cover to cover. A lot of people really
really screw up their AD with poor or incorrect delegation and then have a hell
of a time trying to sort it out later when they figure out what they did wrong.
Just ad hoc changing things based on what you think you need at the time is
entirely the wrong way to assign the permissions. You need to work out
everything that needs to be delegated, work up a grouping scheme to go with it,
and then delegate the minimal number of ACES required to pull off the delegation.

I don't know how many companies I have walked in the door to find that a great
deal of their issues came from having no clue what they were doing with
permissions and just assigning things as they figured it out.

joe
 
Create Group object
Delete Group object

You'll also need write property on RDN and CN to move a group between OUs.

You'll find this information in the delegation appendixes.
 
Back
Top