Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
By delegating administration, you can assign a range of administrative tasks to the appropriate users and groups. You can assign basic administrative tasks to regular users or groups, and leave domain-wide and forest-wide administration to members of the Domain Admins and Enterprise Admins groups. By delegating administration, you can allow groups within your organization to take more control of their local network resources. You also help secure your network from accidental or malicious damage by limiting the membership of administrator groups.
You can delegate administrative control to any level of a domain tree by creating organizational units within a domain and delegating administrative control for specific organizational units to particular users or groups.
To decide what organizational units you want to create, and which organizational units should contain accounts or shared resources, consider the structure of your organization.
For example, you might want to create an organizational unit that enables you to assign a user the administrative control for all user and computer accounts in all branches of a department, such as Human Resources. Or, you might want to assign a user administrative control only to some resources within a department, for example, computer accounts. Another possible delegation of administrative control would be to assign a user the administrative control for the Human Resources organizational unit, but not any organizational units contained within the Human Resources organizational unit.
Active Directory defines specific permissions and user rights that can be used for the purposes of delegating or restricting administrative control. Using a combination of organizational units, groups, and permissions, you can define the most appropriate administrative scope for a particular person, which could be an entire domain, all organizational units within a domain, or a single organizational unit.
Administrative control can be assigned to a user or group by using the Delegation of Control Wizard or through the Authorization Manager console. Both of these tools allow you to assign rights or permissions to particular users or groups.
For example, a user can be given permissions to modify the Owner Of Accounts property, without being assigned the permissions to delete accounts in that organizational unit. The Delegation of Control Wizard, as its name suggests, allows you to delegate administrative tasks using a wizard that steps you through the entire process. The Authorization Manager is a Microsoft Management Console (MMC) console that also allows you to delegate administration. The Authorization Manager provides greater flexibility than the Delegation of Control Wizard, at the cost of greater complexity.
For more information about using the Delegation of Control Wizard, see To delegate control. For more information about using Authorization Manager, see Authorization Manager.
Delegating administration safely
Delegate administration carefully and document all your delegated assignments. Before you delegate any tasks, ensure adequate training for users who will be assigned administrative control of objects. To review Active Directory security concepts, including permissions and inheritance, see Access control in Active Directory.
For more information about delegating administration safely, see Designing the Active Directory Logical Structure.
Customizing MMC consoles for specific groups
You can use Microsoft Management Console (MMC) options to create a limited-use version of a snap-in such as Active Directory Users and Computers. This allows administrators to control the options available to groups to whom you have delegated administrative responsibilities by restricting access to operations and areas within that customized console.
For example, suppose you delegate the Manage Printers right to the PrintManagers group in the Manufacturing organizational unit. To simplify administration, you can create a custom console for use by members of the PrintManagers group containing only the Manufacturing organizational unit and restrict the scope of the console using the console modes.
This type of delegation is also enhanced by the Group Policy settings available for MMC. These settings enable the administrator to establish which MMC snap-ins can be run by a particular user. The settings can be inclusive, allowing a set of snap-ins to run, or exclusive, restricting the set of snap-ins to run.
For more information about Group Policy settings for MMC, see Setting Group Policy in MMC.
Using Group Policy to publish and assign customized consoles
Using Group Policy, you can distribute a customized console to specific groups in one of two modes: publishing or assigning. Publishing a customized console advertises the console to the members of a group specified in the Group Policy setting by adding the console to the list of available programs in Add or Remove Programs. The next time the members of the group open Add or Remove Programs they have the option to install the new console. Assigning (as opposed to publishing) a console forces the console to be automatically installed for all specified accounts.
To publish or assign a console, create or modify a Group Policy object and then apply it to the appropriate group of users. Then, use the Software Installation extension of the Group Policy snap-in to either publish or assign the console.
For more information, see Group Policy (pre-GPMC).
The console must be packaged before using the Software Installation snap-in. You can use a tool such as Windows Installer to package the customized console. Once this has been accomplished you can configure the Software Installation snap-in to publish or assign the newly created package. For more information about how to package an application, see Using the Windows Deployment and Resource Kits.
If the customized console you are packaging uses a snap-in that is not installed on the destination workstation or server for the published or assigned user, you will need to include the snap-in file and the registration of the file in the package. You can either create a separate package that contains the snap-in or add the snap-in during the creation of the customized console package so that it will be properly installed on the computer every time a user installs the console package.
If a user is logged on to their computer at the time that a Group Policy object is applied to their account, the user will not see the published or assigned console until they log off and then log on again.
For more information about other Active Directory security issues, see Security overview.