The Delegation Wizard allows administrators to delegate control of containers and objects to other users,
by grant Active Directory access permissions.
The wizard is available in Windows 2000 and Windows .NET domain controllers and servers.
The tasks that can be delegated are defined in %SystemRoot%\Inf\Delegwiz.inf.
You can add or delete items from the list of tasks.
To add a task, use the following syntax:
\[template(x)\] AppliesToClasses=<comma delimited list of object types to which this template applies. If organizationalUnit is in the list, this template will be shown when the Delegation Wizard is invoked on an OU> Description = "<task description which will appear in the wizard>" ObjectTypes = <comma delimited list of object types whose permissions will be adjusted. Example, "ObjectTypes = SCOPE,Obj1,Obj2,Obj3"> \[template(x).SCOPE\] <Permission entries for Scope> \[template(x).Obj1\] <Permission entries for Obj1> \[template(x).Obj2\] <permission entries for Obj2> \[template(x).Obj3\] <permission entries for Obj3> ;--------------------------------------------------------- The permission entries for the SCOPE object type are used to control the security on the container. Each list of permission entries must contain one or more permission specifiers: RP - Read permissions WP - Write Permissions CC - Create Child DC - Delete Child GA - Generic All (Full Control) Permissions can be specified using one of the following four syntaxes: @= <permission specifiers> Sets a standard ACE on the object. This means all properties of the object will have the permissions set here. propertyName= <permission specifiers> Sets the specified permissions on the property with the specified LDAP display Name. This syntax is used when different properties of an object have different permissions. objectType= <permission specifiers> Sets the specified permissions on the object with the specified LDAP display name. This syntax is used when different objects within the container object have different permissions. CONTROLRIGHT= <control rights display name> Grants the specified Access Control Right to the user for the specified object type.
Template10 Sample
The following template applies to domain and OU container objects, so it will appear when Delegation Wizard is run from the properties of Domain or OU objects. It will apply access changes to itself (SCOPE) and to inetorgperson objects. The changes it applies to itself are CC (create child) and DC (delete child) access. The changes it applies to inetorgperson within the specified container are GA (full control). ;--------------------------------------------------------- \[template10\] AppliesToClasses=domainDns,organizationalUnit,container Description = "Create, delete, and manage inetorgperson accounts" ObjectTypes = SCOPE, inetorgperson \[template10.SCOPE\] inetorgperson=CC,DC \[template10.inetorgperson\] @=GA ;---------------------------------------------------------
Template11 Sample
The following template applies to domain and OUs and will be displayed when Delegation Wizard is started from the property menu of those objects. This instructs Delegation Wizard to grant the user the "Reset Password" control, RP (read permissions), and WP (write permissions) to inetorgperson objects in the container. ;--------------------------------------------------------- \[template11\] AppliesToClasses=domainDns,organizationalUnit,container Description = "Reset inetorgperson passwords and force password change at next logon" ObjectTypes = inetorgperson \[template11.inetorgperson\] CONTROLRIGHT= "Reset Password" pwdLastSet=RP,WP ;----------------------------------------------------------
0 comments
Hide comments