Appendix O: Active Directory Delegation Wizard File
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The Delegation of Control Wizard allows you to delegate administrative tasks to users or groups within a specific administrative scope and is primarily used to delegate data administration. This tool is driven by a customizable text file (Delegwiz.inf) and ships with a base set of common administrative tasks.
The list of tasks that can be delegated through the Delegation Wizard is maintained in the Delegwiz.inf file, which is created in the <Windows installation directory>\Inf folder. Administrators can modify this file to add or delete items from the list of tasks that can be delegated.
The Delegwiz.inf file that ships with Windows Server 2003 can be used to delegate about 13 common administrative tasks. This appendix contains an updated version of the file that can be used to delegate more than 70 administrative tasks.
To use this appendix to modify the Delegwiz.inf file
Navigate to the <Windows installation directory>\Inf folder.
Back up the existing Delegwiz.inf file by copying it and renaming it to Delegwiz_backup.inf.
Open Notepad and create a new empty text file.
Copy the following into the text file:
[Version] signature="$CHICAGO$" [DelegationTemplates] Templates = template1, template2, template3, template4, template5, template6, template7, template8, template9, template10, template11, template12, template13, template14, template15, template16, template17, template18, template19, template20, template21, template22, template23,template24, template25, template26, template27, template28, template29, template30, template31, template32, template33,template34, template35, template36, template37, template38, template39, template40, template41, template42, template43,template44, template45, template46, template47, template48, template49, template50, template51, template52, template53,template54, template55, template56, template57, template58, template59, template60, template61, template62, template63,template64, template65, template66, template67, template68, template69, template70 ;--------------------------------------------------------- [template1] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create, delete, and manage user accounts" ObjectTypes = SCOPE, user [template1.SCOPE] user=CC,DC [template1.user] @=GA ;--------------------------------------------------------- ;--------------------------------------------------------- [template2] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Reset user passwords and force password change at next logon" ObjectTypes = user [template2.user] CONTROLRIGHT= "Reset Password" pwdLastSet=RP,WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template3] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Read all user information" ObjectTypes = user [template3.user] @=RP ;---------------------------------------------------------- [template4] AppliesToClasses = organizationalUnit,container Description = "Create, delete and manage groups" ObjectTypes = SCOPE, group [template4.SCOPE] group=CC,DC [template4.group] @=GA ;---------------------------------------------------------- ;---------------------------------------------------------- [template5] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the membership of a group" ObjectTypes = group [template5.group] member=RP,WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template6] AppliesToClasses = domainDNS Description = "Join a computer to the domain" ObjectTypes = SCOPE [template6.SCOPE] computer=CC ;---------------------------------------------------------- ;---------------------------------------------------------- [template7] AppliesToClasses = domainDNS,organizationalUnit,site Description = "Manage Group Policy links" ObjectTypes = SCOPE [template7.SCOPE] gPLink=RP,WP gPOptions=RP,WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template8] AppliesToClasses=domainDNS,organizationalUnit Description = "Generate Resultant Set of Policy (Planning)" ObjectTypes = SCOPE [template8.SCOPE] CONTROLRIGHT= "Generate Resultant Set of Policy (Planning)" ;---------------------------------------------------------- ;--------------------------------------------------------- [template9] AppliesToClasses=domainDNS,organizationalUnit Description = "Generate Resultant Set of Policy (Logging)" ObjectTypes = SCOPE [template9.SCOPE] CONTROLRIGHT= "Generate Resultant Set of Policy (Logging)" ;---------------------------------------------------------- ;--------------------------------------------------------- [template10] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create, delete, and manage inetOrgPerson accounts" ObjectTypes = SCOPE, inetOrgPerson [template10.SCOPE] inetOrgPerson=CC,DC [template10.inetOrgPerson] @=GA ;--------------------------------------------------------- ;--------------------------------------------------------- [template11] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Reset inetOrgPerson passwords and force password change at next logon" ObjectTypes = inetOrgPerson [template11.inetOrgPerson] CONTROLRIGHT= "Reset Password" pwdLastSet=RP,WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template12] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Read all inetOrgPerson information" ObjectTypes = inetOrgPerson [template12.inetOrgPerson] @=RP ;---------------------------------------------------------- ;--------------------------------------------------------- [template13] AppliesToClasses=container Description = "Create, Delete, and Manage WMI Filters" ObjectTypes = SCOPE, msWMI-Som [template13.SCOPE] msWMI-Som=CC,DC [template13.msWMI-Som] @=GA ;---------------------------------------------------------- ;--------------------------------------------------------- [template14] AppliesToClasses=domainDNS,organizationalUnit Description = "Create an Organizational Unit" ObjectTypes = SCOPE [template14.SCOPE] organizationalUnit=CC ;---------------------------------------------------------- ;--------------------------------------------------------- [template15] AppliesToClasses=domainDNS,organizationalUnit Description = "Delete a child Organizational Unit" ObjectTypes = SCOPE [template15.SCOPE] organizationalUnit=DC ;---------------------------------------------------------- ;--------------------------------------------------------- [template16] AppliesToClasses=organizationalUnit Description = "Delete this Organizational Unit" ObjectTypes = organizationalUnit [template16.organizationalUnit] @=SD ;---------------------------------------------------------- ;--------------------------------------------------------- [template17] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Rename an Organizational Unit" ObjectTypes = organizationalUnit [template17.organizationalUnit] ou=WP name=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template18] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify Description of an Organizational Unit" ObjectTypes = organizationalUnit [template18.organizationalUnit] description=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template19] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify Managed-By Information of an Organizational Unit" ObjectTypes = organizationalUnit [template19.organizationalUnit] managedBy=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template20] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delegate Control of an Organizational Unit" ObjectTypes = organizationalUnit [template20.organizationalUnit] @=WD ;---------------------------------------------------------- ;--------------------------------------------------------- [template21] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create a group" ObjectTypes = SCOPE [template21.SCOPE] group=CC ;---------------------------------------------------------- ;--------------------------------------------------------- [template22] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete a child group" ObjectTypes = SCOPE [template22.SCOPE] group=DC ;---------------------------------------------------------- ;--------------------------------------------------------- [template23] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete this group" ObjectTypes = group [template23.group] @=SD ;---------------------------------------------------------- ;--------------------------------------------------------- [template24] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Rename a group" ObjectTypes = group [template24.group] cn=WP name=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template25] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify the Pre-Windows 2000 compatible name for the group" ObjectTypes = group [template25.group] sAMAccountName=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template26] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the description of a group" ObjectTypes = group [template26.group] description=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template27] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the scope of the group" ObjectTypes = group [template27.group] groupType=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template28] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the type of the group" ObjectTypes = group [template28.group] groupType=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template29] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify notes for a group" ObjectTypes = group [template29.group] info=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template30] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify group membership" ObjectTypes = group [template30.group] member=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template31] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify Managed-By Information of a Group" ObjectTypes = group [template31.group] managedBy=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template32] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create a computer account" ObjectTypes = SCOPE [template32.SCOPE] computer=CC ;---------------------------------------------------------- ;--------------------------------------------------------- [template33] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete a child computer account" ObjectTypes = SCOPE [template33.SCOPE] computer=DC ;---------------------------------------------------------- ;--------------------------------------------------------- [template34] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete this computer account" ObjectTypes = computer [template34.computer] @=SD ;---------------------------------------------------------- ;--------------------------------------------------------- [template35] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Rename a computer account" ObjectTypes = computer [template35.computer] @=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template36] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Disable a computer account" ObjectTypes = computer [template36.computer] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template37] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Reset a computer account" ObjectTypes = computer [template37.computer] CONTROLRIGHT= "Reset Password" ;---------------------------------------------------------- ;--------------------------------------------------------- [template38] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify the computer's description" ObjectTypes = computer [template38.computer] description=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template39] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify Managed-By information for a computer account" ObjectTypes = computer [template39.computer] managedBy=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template40] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify that a computer account be trusted for delegation" ObjectTypes = computer [template40.computer] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template41] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create a user account in disabled state" ObjectTypes = SCOPE [template41.SCOPE] user=CC ;---------------------------------------------------------- ;--------------------------------------------------------- [template42] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create a user account" ObjectTypes = SCOPE , user [template42.SCOPE] user=CC [template42.user] userAccountControl=WP CONTROLRIGHT= "Reset Password" ;---------------------------------------------------------- ;--------------------------------------------------------- [template43] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete a child user account" ObjectTypes = SCOPE [template43.SCOPE] user=DC ;---------------------------------------------------------- ;--------------------------------------------------------- [template44] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete this user account" ObjectTypes = user [template44.user] @=SD ;---------------------------------------------------------- ;--------------------------------------------------------- [template45] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Rename a user account" ObjectTypes = user [template45.user] cn=WP name=WP distinguishedName=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template46] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Disable a user account" ObjectTypes = user [template46.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template47] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Unlock a user account" ObjectTypes = user [template47.user] lockoutTime=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template48] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Enable a disabled user account" ObjectTypes = user [template48.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template49] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Reset a user account's password" ObjectTypes = user [template49.user] CONTROLRIGHT= "Change Password" ;---------------------------------------------------------- ;--------------------------------------------------------- [template50] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Force a user account to change the password at the next logon" ObjectTypes = user [template50.user] CONTROLRIGHT= "Reset Password" userPassword=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template51] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user's display name" ObjectTypes = user [template51.user] adminDisplayName=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template52] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user account's description" ObjectTypes = user [template52.user] description=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template53] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user's office location" ObjectTypes = user [template53.user] physicalDeliveryOfficeName=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template54] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user's telephone number" ObjectTypes = user [template54.user] telephoneNumber=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template55] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the location of a user's primary web page" ObjectTypes = user [template55.user] wWWHomePage=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template56] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user's UPN" ObjectTypes = user [template56.user] userPrincipalName=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template57] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user's Pre-Windows 2000 user logon name" ObjectTypes = user [template57.user] sAMAccountName=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template58] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the hours during which a user can log on" ObjectTypes = user [template58.user] logonHours=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template59] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify the computers from which a user can log on" ObjectTypes = user [template59.user] userWorkstations=WP ;---------------------------------------------------------- ;--------------------------------------------------------- ;[template60] ;AppliesToClasses=domainDNS,organizationalUnit,container ;Description = "Set User cannot change password for a user account" ;ObjectTypes = user ;[template60.user] ;CONTROLRIGHT= "Change Password" ;---------------------------------------------------------- ;--------------------------------------------------------- [template61] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Password Never Expires for a user account" ObjectTypes = user [template61.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template62] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Store Password Using Reversible Encryption for a user account" ObjectTypes = user [template62.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template63] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Disable a user account" ObjectTypes = user [template63.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template64] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Smart card is required for interactive logon for a user account" ObjectTypes = user [template64.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template65] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Account is sensitive and cannot be delegated for a user account" ObjectTypes = user [template65.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template66] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Use DES encryption types for this account for a user account" ObjectTypes = user [template66.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template67] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Do not require Kerberos pre-authentication for a user account" ObjectTypes = user [template67.user] userAccountControl=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template68] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify the date when a user account expires" ObjectTypes = user [template68.user] accountExpires=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template69] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify a profile path for a user" ObjectTypes = user [template69.user] profilePath=WP ;---------------------------------------------------------- ;--------------------------------------------------------- [template70] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify a logon script for a user" ObjectTypes = user [template70.user] scriptPath=WP ;----------------------------------------------------------Save the text file as delegwiz.inf in the <Windows installation directory>\Inf folder.
The Delegation Wizard will now allow you to delegate more than 70 data management administrative tasks.
Note
For more information about modifying Delegwiz.inf, see article 308404, “HOW TO: Customize the Task List in the Delegation Wizard,” in the Microsoft Knowledge Baseon the Web at https://go.microsoft.com/fwlink/?LinkId=3202.