Using the AD Delegation Wizard

Q: We want to use the Active Directory (AD) Delegation Wizard to delegate certain AD permissions to the administrators in our branch offices. What are the limitations of the AD Delegation Wizard? Can we customize the wizard to reflect our specific AD delegation needs?

A: The AD Delegation Wizard lets an administrator choose among a set of predefined AD delegation tasks (You can view a list of these tasks at the end of this article) and to automatically set the corresponding permissions on selected AD objects. The delegation wizard, which Figure 1 shows, is accessible from the Microsoft Management Console (MMC) AD Sites and Services snap-in (for sites) and the MMC AD Users and Computers snap-in (for domains and organizational units—OUs).

The main challenge with using the delegation wizard is that it's a tool that only lets you set additional permissions to those that already exist in AD. It doesn't let you remove or change existing permissions that are set for any OU in your delegated OU structure. This is true for any of the default permissions, as well as any permission that has been granted by the delegation wizard itself.

The delegation wizard doesn't support removing administrative permissions; if you want to do that via a GUI, you need to do it directly from the ACL editor. This provides a special challenge for administrators if they need to remove all the permissions that are set for an account or a group of objects in the domain, as there is no easy way to search for ACLs using the existing GUI tools. But Microsoft has provided a free download called dsrevoke.exe to ease the reporting of permissions granted to your security principals in AD and to automate the removal of these permissions on hierarchical object structures. You can find the tool on the following Web site: http://www.microsoft.com/downloads.

Next to the fact that you need to manually walk down your OU structure and apply the various delegated permissions at the OU level of your choice, another challenge of using the delegation wizard is simply the fact that the existing roles in the wizard often might not match your requirements. The process of selecting all the appropriate sub-roles while you click through the wizard is also fairly error prone, especially if you have to do this multiple times in a row.

To slightly ease this pain, you can define custom tasks and add them as predefined tasks to the wizard. You do this by modifying the delegwiz.inf configuration file, which Figure 2 shows. The file is located in the %Windir%/inf directory of the machine on which you've installed the MMC Active Directory Users and Computers snap-in. This file is a simple text file that can be edited while the snap-in is running; the snap-in will read the template file each time you start the Delegation Wizard.

The following sample template grants rights to unlock (lockoutTime=RP,WP) a user account (ObjectTypes = user) that has been locked due to too many attempts to log on to the domain with the wrong password. It applies to domain and OU container objects (AppliesToClasses=domainDns,organizationalUnit,container), so it will appear in the Delegation Wizard when it is run from the properties of Domain or OU objects:

  ;---------------------------------------------------------  \[template14\]  AppliesToClasses=domainDns,organizationalUnit,container    

Description = "Unlock locked user accounts"

ObjectTypes = user

\[template14.user\] lockoutTime=RP,WP ;---------------------------------------------------------

After adding your template to the delegwiz.inf file, be sure to add it to the list of available templates, which is stored as a comma-separated string in the Templates variable directly underneath the \[DelegationTemplates\] identifier.

The syntax of the templates in the delegwiz.inf file allows you to combine multiple permissions for different object types in a single template. That means you can create most of the roles that you might have defined for your AD delegation model as templates for the AD delegation wizard. You still must apply them manually to the different OUs in your hierarchy, but at least the process will be less error-prone. The syntax is explained in detail in the Microsoft article "How to customize the task list in the Delegation Wizard" (http://support.microsoft.com/?kbid=308404).

Predefined Windows Server 2003 delegation tasks

Domain

  • Join a computer to the domain
  • Manage group policy links
Site
  • Manage group policy links
OU
  • Create, delete and manage user accounts
  • Reset user passwords and force password change at next logon
  • Read all user information
  • Create, delete and manage groups
  • Modify the membership of a group
  • Manage group policy links
  • Generate Resultant Set of Policy (Planning)
  • Generate Resultant Set of Policy (Logging)
  • Create, delete and manage inetOrgPerson accounts
  • Reset inetOrgPerson passwords and change password change at next logon
  • Read all inetOrgPerson information

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish