Default security concerns in Active Directory delegation

Article translations Article translations
Article ID: 235531 - View products that this article applies to.
This article was previously published under Q235531
Expand all | Collapse all

SUMMARY

Microsoft Windows 2000 and Microsoft Windows Server 2003 include a Delegation wizard to facilitate the delegation of administrative rights over containers within Active Directory.

The Delegation wizard functions by providing administrators with a set of dialog boxes designed to specify the following items:
  • To whom the administrator wants to delegate authority.
  • The objects to which these users should gain authority.
  • The permissions the designated users have over these objects.
The Delegation wizard dynamically creates access control entries on the target container object according to the options specified in the wizard.

It is important to note that the Delegation wizard does not provide functionality to remove access control entries. If an administrator wants to reverse configuration settings created with the Delegation wizard, he or she must manually gain access to the Security Settings dialog box for the affected organizational unit and remove all added entries.

MORE INFORMATION

The following example demonstrates how the Delegation wizard creates access control list entries as a result of options selected:
  1. The administrator has previously configured a new Organizational Unit (OU). The OU contains all of the directory objects over which the administrator will delegate control.
  2. The administrator starts the Delegation wizard by right-clicking the OU, and then clicking Delegate Control.
  3. The Delegation wizard title dialog box appears, providing some introductory information about the wizard's functionality. Click Next to proceed.
  4. The administrator chooses the folder to which delegation will be applied.
  5. The administrator next specifies to whom delegation is going to be granted in the Users or Groups dialog box.
  6. The administrator is given the option to select the tasks to delegate. These tasks can be selected from a pre-compiled list of commonly delegated tasks, or the administrator can choose to create a custom task to delegate.
    1. If the administrator selects a common task, a summary screen is displayed in which the administrator can detail the changes to be made.
    2. If the administrator chooses to create a custom task to delegate, two dialog box are displayed in which the administrator can customize the delegated task:
      1. Level of delegation. The administrator can choose to delegate to the entire folder, or to specific objects within the folder.
      2. In the next dialog box, the administrator dictates the permissions the specified users will be able to exercise.
  7. A confirmation dialog box appears, detailing all of the options selected in the wizard. Confirming the changes completes the wizard, and adds all appropriate access control entries to the target Active Directory container.

REFERENCES

For more information about this topic in Windows 2000 Server, visit the following Microsoft Web site:
Best practice Active Directory Design for managing Windows networks
http://technet.microsoft.com/en-us/library/bb727085.aspx
For more information about this topic in Windows Server 2003, visit the following Microsoft Web sites:


Best practices for delegating Active Directory administration: How delegation works in Active Directory
http://technet.microsoft.com/en-us/library/cc773317.aspx

Best practices for delegating Active Directory administration: Case study: a delegation scenario
http://technet.microsoft.com/en-us/library/cc773358.aspx

Properties

Article ID: 235531 - Last Review: October 11, 2007 - Revision: 2.7
APPLIES TO
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows 2000 Server
Keywords: 
kbinfo KB235531

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com