This step-by-step article describes how to delegate administrative authority in Windows 2000. An administrator can use this feature in Windows 2000 to delegate administrative authority over one or more organizational units (OUs) to a user or group, without giving that user or group administrative authority throughout the domain. This increases the flexibility with which administrators can assign responsibility over a specified set of user/group accounts, printers, or other resources that can be placed into an organizational unit.
Permissions that can be delegated include the permission to create and delete a particular type of object (such as user accounts) in an OU, permission to change the properties of the OU itself, or permissions to change properties of objects in the OU.
A user to whom authority has been delegated can delegate his/her authority, or a subset of it, to another user or group.back to the top Delegating the Administrative Authority
The administrative tool that is used to delegate authority depends on the type of container or object involved. To delegate administrative authority over an OU or an entire domain, follow these steps on your Windows 2000 Server (or Windows 2000 Professional computer with the administrative tools installed):
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
- Right-click the domain or OU over which you want to delegate control, and then click Delegate Control to start the Delegation of Control Wizard.
- At the welcome page, click Next.
- To select a user or group to whom control will be delegated, click the Add button.
- In the Look in box, click a domain from which to select, or click Entire Directory.
- Choose the user or group account(s) from the list, and then click the Add button. Click OK, and if you want to add additional users or groups, click the Add button again, repeating this process as necessary until you have added all of the appropriate users and groups.
- Click Next, and then check the check boxes of the tasks you want to delegate. If the task doesn't appear in the list, you can click create a custom task to delegate.
- Click Next, and the wizard will summarize your selections. If they are correct, click the Finish button to apply the changes.
If you want to delegate authority over a site, intersite transport, subnet, or the Servers container, open the Active Directory Sites and Services administrative tool, click on the container over which you want to delegate control, and follow the same basic procedure. Note that the pages of the wizard are slightly different. You can delegate control over the entire folder (including objects therein and those created in the folder), or you can specify certain objects. You will be asked to select the permissions to be delegated. Finally, your selections are summarized for your review.
For additional information about related topics, click the article numbers below to view the articles in the Microsoft Knowledge Base:
How to Delegate Authority for Editing a Group Policy Object
How to Delegate Administration of Group Policies
308194back to the top
HOW TO: Create Domain Organizational Units