Windows 7

Delegating the administration of domains and OUs

When you create domains and OUs, you'll often want to be able to delegate control over them to specific individuals. This is useful if you want to give someone limited administrative privileges for a domain or OU. Before you delegate administration, you should carefully plan the permissions to grant. Ideally, you want to delegate the permissions that allow a user to perform necessary tasks, while preventing your delegate from performing tasks he or she should not. Often, figuring out the tasks that a user with limited administrative permissions should be able to perform requires talking to the department or office manager or the individual.

Understanding delegation of administration

You delegate control of Active Directory objects to grant users permission to manage users, groups, computers, OUs, or other objects stored in Active Directory. You can grant permissions in the following ways:

  • Grant full control over an OU:
    Useful when you have local administrators within departments or at branch offices and you want those individuals to be able to manage all objects in the OU. Among other things, this allows local administrators to create and manage accounts in the OU.
  • Grant full control over specific types of objects in an OU:
    Useful when you have local administrators who should be able to manage only specific types of objects in an OU. For example, you might want local administrators to be able to manage users and groups but not to be able to manage computer accounts.
  • Grant full control over specific types of objects in a domain:
    Useful when you want to allow an individual to be able to manage only specific types of objects in a domain. Rather than adding the user as a member of the Administrators group, you grant the user full control over specific objects. For example, you might allow the user to manage user and group accounts in the domain but not to perform other administrative tasks.
  • Grant rights to perform specific tasks:
    Useful when you want to allow an individual to perform a specific task. For example, you might want to allow a department manager to read information related to user accounts in Active Directory Users And Computers, or you might want to allow help desk staff to be able to reset user passwords.

When you delegate permissions, be sure to keep in mind how inheritance works in Active Directory. As you might recall from previous discussions of permissions, lower-level objects inherit permissions from top-level objects. In a domain, the top-level object is the domain object itself. This has the following results:

  • Any user designated as an administrator for a domain automatically has full control over the domain.
  • If you grant permissions at the domain level, the user has those permissions for all OUs in the domain as well.
  • If you grant permissions in a top-level OU, the user has those permissions for all OUs that are created within the top-level OU.

Delegating administration

To delegate administration of a domain or OU, follow these steps:

  1. In Active Directory Users And Computers, press and hold or right-click the domain or OU for which you want to delegate administration and then select Delegate Control. When the Delegation Of Control Wizard starts, tap or click Next.
  2. On the Users Or Groups page shown, tap or click Add to display the Select Users, Computers, Or Groups dialog box.
  3. The default location is the current domain. Tap or click Locations to see a list of the available domains and other resources that you can access. Because of the built-in transitive trusts, you can usually access all the domains in the domain tree or forest.
  4. Type the name of a user or group account in the selected or default domain, and then tap or click Check Names. The options available depend on the number of matches found as follows:
    • When a single match is found, the dialog box is automatically updated as appropriate and the entry is underlined.
    • When no matches are found, you either entered an incorrect name part or you're working with an incorrect location. Modify the name and try again, or tap or click Locations to select a new location.
    • If multiple matches are found, select the name or names you want to use and then tap or click OK.
  5. To add additional users or groups, type a semicolon (;), and then repeat this process.
  6. When you tap or click OK, the users and groups are added to the Selected Users And Groups list in the Delegation Of Control Wizard. Tap or click Next to continue.
  7. On the Tasks To Delegate page, a list of common tasks is provided. If you want to delegate any of these common tasks, select the tasks. Afterward, tap or click Next, and then tap or click Finish. Skip the remaining steps that follow.
  8. If you want to create a custom task to delegate, choose Create A Custom Task To Delegate and then tap or click Next. On the Active Directory Object Type page, you can now choose to delegate management of all objects in the container or limit the delegation to specific types of objects.
  9. On the Permissions page, you can select the levels of permissions to delegate for the previously selected objects. You can choose to allow Full Control over the object or objects, or you can delegate very specific permissions.
  10. Tap or click Next, and then tap or click Finish.
[Previous] [Content]

In this tutorial:

  1. Implementing Active Directory Domain Services
  2. Installing Active Directory Domain Services
  3. Cloning virtualized domain controllers
  4. Uninstalling Active Directory
  5. Creating and managing organizational units
  6. Delegating the administration of domains and OUs