• Windows Server
  • 1/2

Delegations of control allow you to delegate various common tasks using a wizard, but also to allow specific actions (such as : adding or deleting a specific type of object, ...).

  1. Delegate a common task using the Delegation of Control wizard
    1. Create a delegation of control
    2. Test the created delegation of control
    3. Change the permissions of a delegation of control
  2. Delegate a custom task using the Delegation of Control wizard
  3. Managed by
  4. Manually manage Active Directory permissions

1. Delegate a common task using the Delegation of Control wizard

1.1. Create a delegation of control

The 1st possibility to create a delegation of control consists of using the "Delegation of control" wizard.
To open it, open the "Active Directory Users and Computers" console and right-click "Delegate Control" on your Active Directory domain or on the desired container or organizational unit.
In our case, we are going to create a delegation of control for our Active Directory domain.

The Delegation of Control wizard appears.

Choose the users and/or groups to whom you want to delegate a specific task.

Specify the name of the desired users and/or groups.

The users and/or groups appear in the list.

The list of common tasks that can be delegated is displayed :

  • Create, delete and manage user accounts
  • Reset user passwords and force password change at next logon
  • Read all user information
  • Modify the membership of a group
  • Join a computer to the domain
  • Manage Group Policy links
  • Generate Resultant Set of Policy (Planning)
  • Generate Resultant Set of Policy (Logging)
  • Create, delete, and manage inetOrgPerson accounts
  • Reset inetOrgPerson passwords and force password change at next logon
  • Read all inetOrgPerson information

For this tutorial, we will create a delegation so that our user "InformatiUser" can create, delete and manage user accounts.

A summary of the delegation of control to create is displayed.
Click on Finish.

1.2. Test the created delegation of control

For our tutorial, we have authorized user management for our user "InformatiUser".
However, this user is not an administrator and therefore does not have the possibility to connect directly to our domain controllers.

To manage user accounts, this user must therefore connect to a client PC linked to your Active Directory domain and use the corresponding RSAT console.
In our case, we installed the "Active Directory Users and Computers" console on the client PC.

Comme vous pouvez le voir, en étant connecté avec notre utilisateur "InformatiUser", nous pouvons créer uniquement des objets de type "Utilisateur".

The "New Object - User" window appears.
We specify a first name and a username for it.

We set a password and we choose that this password never expires.

A summary of the user is displayed.

The user has been successfully created.

If you view the properties of the user you just created, you will see that you can edit its properties.

However, for security reasons, he will not be able to change the properties of the Administrator account.

You will not be able to change the properties of the existing groups either, since the created delegation is limited to objects of type "User".

1.3. Change the permissions of a delegation of control

When you use the Delegation of Control wizard, it adds the necessary permissions on the desired container or organizational unit.
To change these permissions, all you have to do is right-click "Properties" on the concerned container or organizational unit, then go to the "Security" tab.

However, as you can see, the "Security" tab is not displayed by default.

To display this "Security" tab in the properties of your Active Directory objects, you must go to the "View" menu and click on "Advanced Features".

Now, right click "Properties" on the desired folder.

In the "Security" tab, we find our "InformatiUser" user to whom we had delegated user management.
Currently, the only information displayed is the "Special permissions" permission.

Click on : Advanced.

In the "Advanced Security Settings for [container name]" window that appears, we find a permission :

  • of type : Allow
  • for the principal (which can be a user or a group) : InformatiUser
  • access : Create/delete User objects
  • inherited from : None
  • which applies to : this object and all descendants

If you select this permission and click Edit, you will be able to choose :

  • to which principal (user or group) this applies
  • its type : allow or deny
  • to which this policy applies
  • which permissions you want to grant or deny (depending on the type of permission being edited)

If we look further down, we find the "Create User objects" and "Delete User objects" permissions previously assigned by the delegation of control wizard.

Further down, there is also a second authorization with full control access, but which applies as expected only to "User" type objects.

To see also

Comments

You must be logged in to post a comment

Share your opinion

Pinned content

Contact

® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.

Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.