Delegations of control allow you to delegate various common tasks using a wizard, but also to allow specific actions (such as : adding or deleting a specific type of object, ...).
The 1st possibility to create a delegation of control consists of using the "Delegation of control" wizard.
To open it, open the "Active Directory Users and Computers" console and right-click "Delegate Control" on your Active Directory domain or on the desired container or organizational unit.
In our case, we are going to create a delegation of control for our Active Directory domain.
The Delegation of Control wizard appears.
Choose the users and/or groups to whom you want to delegate a specific task.
Specify the name of the desired users and/or groups.
The users and/or groups appear in the list.
The list of common tasks that can be delegated is displayed :
For this tutorial, we will create a delegation so that our user "InformatiUser" can create, delete and manage user accounts.
A summary of the delegation of control to create is displayed.
Click on Finish.
For our tutorial, we have authorized user management for our user "InformatiUser".
However, this user is not an administrator and therefore does not have the possibility to connect directly to our domain controllers.
To manage user accounts, this user must therefore connect to a client PC linked to your Active Directory domain and use the corresponding RSAT console.
In our case, we installed the "Active Directory Users and Computers" console on the client PC.
Comme vous pouvez le voir, en étant connecté avec notre utilisateur "InformatiUser", nous pouvons créer uniquement des objets de type "Utilisateur".
The "New Object - User" window appears.
We specify a first name and a username for it.
We set a password and we choose that this password never expires.
A summary of the user is displayed.
The user has been successfully created.
If you view the properties of the user you just created, you will see that you can edit its properties.
However, for security reasons, he will not be able to change the properties of the Administrator account.
You will not be able to change the properties of the existing groups either, since the created delegation is limited to objects of type "User".
When you use the Delegation of Control wizard, it adds the necessary permissions on the desired container or organizational unit.
To change these permissions, all you have to do is right-click "Properties" on the concerned container or organizational unit, then go to the "Security" tab.
However, as you can see, the "Security" tab is not displayed by default.
To display this "Security" tab in the properties of your Active Directory objects, you must go to the "View" menu and click on "Advanced Features".
Now, right click "Properties" on the desired folder.
In the "Security" tab, we find our "InformatiUser" user to whom we had delegated user management.
Currently, the only information displayed is the "Special permissions" permission.
Click on : Advanced.
In the "Advanced Security Settings for [container name]" window that appears, we find a permission :
If you select this permission and click Edit, you will be able to choose :
If we look further down, we find the "Create User objects" and "Delete User objects" permissions previously assigned by the delegation of control wizard.
Further down, there is also a second authorization with full control access, but which applies as expected only to "User" type objects.
Windows Server 6/18/2021
Windows Server 7/31/2021
Windows Server 7/3/2021
Windows Server 7/9/2021
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2020 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.