You are currently offline, waiting for your internet to reconnect

Your browser is out-of-date

You need to update your browser to use the site.

Update to the latest version of Internet Explorer

Default security concerns in Active Directory delegation

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article was previously published under Q235531
SUMMARY
Microsoft Windows 2000 and Microsoft Windows Server 2003 include a Delegation wizard to facilitate the delegation of administrative rights over containers within Active Directory.

The Delegation wizard functions by providing administrators with a set of dialog boxes designed to specify the following items:
  • To whom the administrator wants to delegate authority.
  • The objects to which these users should gain authority.
  • The permissions the designated users have over these objects.
The Delegation wizard dynamically creates access control entries on the target container object according to the options specified in the wizard.

It is important to note that the Delegation wizard does not provide functionality to remove access control entries. If an administrator wants to reverse configuration settings created with the Delegation wizard, he or she must manually gain access to the Security Settings dialog box for the affected organizational unit and remove all added entries.
MORE INFORMATION
The following example demonstrates how the Delegation wizard creates access control list entries as a result of options selected:
  1. The administrator has previously configured a new Organizational Unit (OU). The OU contains all of the directory objects over which the administrator will delegate control.
  2. The administrator starts the Delegation wizard by right-clicking the OU, and then clicking Delegate Control.
  3. The Delegation wizard title dialog box appears, providing some introductory information about the wizard's functionality. Click Next to proceed.
  4. The administrator chooses the folder to which delegation will be applied.
  5. The administrator next specifies to whom delegation is going to be granted in the Users or Groups dialog box.
  6. The administrator is given the option to select the tasks to delegate. These tasks can be selected from a pre-compiled list of commonly delegated tasks, or the administrator can choose to create a custom task to delegate.
    1. If the administrator selects a common task, a summary screen is displayed in which the administrator can detail the changes to be made.
    2. If the administrator chooses to create a custom task to delegate, two dialog box are displayed in which the administrator can customize the delegated task:
      1. Level of delegation. The administrator can choose to delegate to the entire folder, or to specific objects within the folder.
      2. In the next dialog box, the administrator dictates the permissions the specified users will be able to exercise.
  7. A confirmation dialog box appears, detailing all of the options selected in the wizard. Confirming the changes completes the wizard, and adds all appropriate access control entries to the target Active Directory container.
REFERENCES
For more information about this topic in Windows 2000 Server, visit the following Microsoft Web site:
Best practice Active Directory Design for managing Windows networks
http://technet.microsoft.com/en-us/library/bb727085.aspx
For more information about this topic in Windows Server 2003, visit the following Microsoft Web sites:


Best practices for delegating Active Directory administration:How delegation works in Active Directory
http://technet.microsoft.com/en-us/library/cc773317.aspx

Best practices for delegating Active Directory administration:Case study: a delegation scenario
http://technet.microsoft.com/en-us/library/cc773358.aspx
Properties

Article ID: 235531 - Last Review: 10/11/2007 02:31:00 - Revision: 2.7

  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows 2000 Server
  • kbinfo KB235531
Feedback