Default security concerns in Active Directory delegation


Microsoft Windows 2000 and Microsoft Windows Server 2003 include a Delegation wizard to facilitate the delegation of administrative rights over containers within Active Directory.

The Delegation wizard functions by providing administrators with a set of dialog boxes designed to specify the following items:
  • To whom the administrator wants to delegate authority.
  • The objects to which these users should gain authority.
  • The permissions the designated users have over these objects.
The Delegation wizard dynamically creates access control entries on the target container object according to the options specified in the wizard.

It is important to note that the Delegation wizard does not provide functionality to remove access control entries. If an administrator wants to reverse configuration settings created with the Delegation wizard, he or she must manually gain access to the Security Settings dialog box for the affected organizational unit and remove all added entries.

More Information

The following example demonstrates how the Delegation wizard creates access control list entries as a result of options selected:

  1. The administrator has previously configured a new Organizational Unit (OU). The OU contains all of the directory objects over which the administrator will delegate control.
  2. The administrator starts the Delegation wizard by right-clicking the OU, and then clicking Delegate Control.
  3. The Delegation wizard title dialog box appears, providing some introductory information about the wizard's functionality. Click Next to proceed.
  4. The administrator chooses the folder to which delegation will be applied.
  5. The administrator next specifies to whom delegation is going to be granted in the Users or Groups dialog box.
  6. The administrator is given the option to select the tasks to delegate. These tasks can be selected from a pre-compiled list of commonly delegated tasks, or the administrator can choose to create a custom task to delegate.
    1. If the administrator selects a common task, a summary screen is displayed in which the administrator can detail the changes to be made.
    2. If the administrator chooses to create a custom task to delegate, two dialog box are displayed in which the administrator can customize the delegated task:
      1. Level of delegation. The administrator can choose to delegate to the entire folder, or to specific objects within the folder.
      2. In the next dialog box, the administrator dictates the permissions the specified users will be able to exercise.
  7. A confirmation dialog box appears, detailing all of the options selected in the wizard. Confirming the changes completes the wizard, and adds all appropriate access control entries to the target Active Directory container.


For more information about this topic in Windows 2000 Server, visit the following Microsoft Web site:
Best practice Active Directory Design for managing Windows networks
For more information about this topic in Windows Server 2003, visit the following Microsoft Web sites:

Best practices for delegating Active Directory administration: How delegation works in Active Directory

Best practices for delegating Active Directory administration: Case study: a delegation scenario

Article ID: 235531 - Last Review: Mar 20, 2009 - Revision: 1