Skip navigation

JSI Tip 4353. How can I customize the Delegation Wizard?

The Delegation Wizard allows administrators to delegate control of containers and objects to other users, by grant Active Directory access permissions.

The wizard is available in Windows 2000 and Windows .NET domain controllers and servers.

The tasks that can be delegated are defined in %SystemRoot%\Inf\Delegwiz.inf.

You can add or delete items from the list of tasks.

To add a task, use the following syntax:

AppliesToClasses=<comma delimited list of object types to which this
                 template applies. If organizationalUnit is in the list,
                 this template will be shown when the Delegation Wizard is invoked on an OU>

Description = "<task description which will appear in the wizard>"

ObjectTypes = <comma delimited list of object types whose permissions
              will be adjusted. Example, "ObjectTypes = SCOPE,Obj1,Obj2,Obj3">

<Permission entries for Scope>

<Permission entries for Obj1>

<permission entries for Obj2>

<permission entries for Obj3>
The permission entries for the SCOPE object type are used to control the security on the container.

Each list of permission entries must contain one or more permission specifiers: 
RP - Read permissions
WP - Write Permissions
CC - Create Child
DC - Delete Child
GA - Generic All (Full Control) 

Permissions can be specified using one of the following four syntaxes: 

@= <permission specifiers> 
Sets a standard ACE on the object. This means all properties of the object will have the permissions set here.

propertyName= <permission specifiers> 
Sets the specified permissions on the property with the specified LDAP display Name.
This syntax is used when different properties of an object have different permissions.

objectType= <permission specifiers>
Sets the specified permissions on the object with the specified LDAP display name. 
This syntax is used when different objects within the container object have different permissions.

CONTROLRIGHT= <control rights display name> 
Grants the specified Access Control Right to the user for the specified object type.

Template10 Sample

 The following template applies to domain and OU container objects,
 so it will appear when Delegation Wizard is run from the properties of Domain or OU objects.
 It will apply access changes to itself (SCOPE) and to inetorgperson objects.
 The changes it applies to itself are CC (create child) and DC (delete child) access.
 The changes it applies to inetorgperson within the specified container are GA (full control). 

Description = "Create, delete, and manage inetorgperson accounts"

ObjectTypes = SCOPE, inetorgperson



Template11 Sample

 The following template applies to domain and OUs and will be displayed when Delegation Wizard is started from the
 property menu of those objects. This instructs Delegation Wizard to grant the user the "Reset Password" control,
 RP (read permissions), and WP (write permissions) to inetorgperson objects in the container. 

Description = "Reset inetorgperson passwords and force password change at next logon"

ObjectTypes = inetorgperson

CONTROLRIGHT= "Reset Password"

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.