Chapter 18 - Delegation of Control Wizard

Abstract

One of the advantages of Active Directory (AD) is that everything in the directory database is treated as an independent object. An administrator can assign rights to each object, including permissions to modify or add new objects to other users on the network. The delegation of control wizard allows the granular control of the delegation of users, groups, computers, organizational units, and other objects within Active Directory. It is no longer required to give administrator privileges to those users who do not need all of the power associated with “normal” administrator rights. Using the wizard, one can delegate to users, groups, or computers. After selecting who to delegate the control to, one must decide what permissions are to be given to them. Common tasks or custom tasks may be selected. If common tasks are selected, the wizard will make the appropriate changes and the wizard finishes. If custom tasks are selected, there will be two choices: select the entire folder, or select one or more objects in the folder to delegate. No matter whether the entire folder is selected or only certain objects from the folder are selected, the permissions to delegate must also be selected. The Permissions page shows three categories of permissions: general, property-specific, and creation/deletion of specific child objects. The permissions shown will vary based on the choice picked and the object(s) that have been selected.