Delegating Administrative Authority Within AD

Last week, I had lunch with four network administrators from small local companies. One subject that came up was applications that require users to have administrative access to run. Almost all the administrators had encountered this situation.

When I asked how they handled it, they replied that they just gave the users who needed to run the application Domain Administrator rights or, if the application runs locally, Local Administrator rights. When I asked them why they didn't use the more granular rights controls that Windows 2000 provides, they gave me blank stares. None of the four administrators were aware that you can assign more granular rights within Active Directory (AD) than you can within the OS.

Similar to the way in which users can have specific domain or AD-wide rights if they're in the Backup Operator account, users on a Win2K network can have a fixed set of rights that let them perform certain tasks in a specific part of the network. Those rights don't carry over to other parts of the network. Small-network administrators rarely need to delegate administrative authority in this granular manner, but I was sure that most small-network administrators would at least be aware of this ability. Apparently, I was wrong--or it was simply a strategy that these administrators had never considered. When pressed, they all admitted to having user accounts in the Backup Operators group and hence were aware that different enterprisewide rights assignments are available to user accounts.

Delegating granular authoritative control is simple. Just load the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and right-click the organizational unit (OU) or domain in which you need to provide the administrative authority. In the context menu, click the Delegate Control option to launch the Delegate Control Wizard. The wizard walks you through the process of delegating administrative control to a specific user or group of users. If you have an otherwise unrelated group of users to which you want to grant the same administrative authority, it makes sense to create a group for these users before you run the wizard. After you create this group, you can add or remove users from this administrative role simply by changing the users' group membership. If the task you want to delegate isn't in the list of preconfigured administrative tasks, you can create a custom task by clicking "Create a custom task to delegate" and defining the custom task that you want to create. At the end, the wizard summarizes what you've selected and lets you click Finish to create the delegated task or Back to edit the delegation you've created.

If the authority you need to delegate isn't at the OU or domain level but is instead related to a container object (e.g., site, subnet, service), you can use the MMC Active Directory Sites and Services snap-in's Delegate Control option. After you load this snap-in, right-click the target container object in the display and click the Delegate Control option in the context menu.

Delegating authority through AD is one of the most compelling reasons to implement an AD structure, even if you aren't running a huge enterprise. The ability to give nonadministrators access to rights that they need in specific situations can simplify the job of any network administrator.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.