Windows Server Guides

Delegation and Security Issues

• Woodworking Plans With Step-by-step Instructions

You have two methods for transferring administrative permissions to selected users: you can use the Delegation of Control Wizard, or you can add access control entries (ACEs) to discretionary access control lists (DACLs) of individual OUs. The Delegation of Control Wizard appears to be easier to use (although this is rather subjective). This wizard takes you step-by-step through the delegation process; whereas manual configuration is more susceptible to human error and may take more time.

To delegate permissions using Delegation of Control Wizard, take the following steps:

1. Open the Active Directory Users and Computers snap-in.

2. In the console tree, expand your domain and right-click the OU to which you want to delegate permissions.

3. Select Delegate Control from the context menu.

4. The Delegation of Control Wizard will appear and take you through the rest of the process.

When working with the wizard, be prepared to answer questions about who you want to delegate permissions to (user or group) and which groups of permissions, or selective permissions, you wish to delegate. It is common practice to document your changes, because it may be difficult to track them after the fact. Figure 5-7 shows the step of the wizard where you have to select permissions for the users (we selected tasks that would be typically delegated to the help desk security group).

FIGURE 5-7

Delegating permissions using the Delegation of Control Wizard