The delegation of administrative tasks is a practical necessity in a Windows 2000 enterprise environment. It is common to delegate authority not only to members of the IT group but to human resources personnel and various managers for tasks related to their duties. Delegation distributes the administrator's workload without granting sweeping privileges to every assistant. This is an expression of the security concept of "principle of least privilege," that is, granting only the permissions necessary for the task.
Through various means, Windows 2000 allows you to delegate to groups or individuals a prescribed degree of control over a limited set of objects. The only prerequisite is that the appropriate delegation elements (users, groups, Group Policy objects, files, directories, and so forth) must be in place before delegation can be performed.
Windows 2000 supports delegation of administrative authority through various features, including those listed in the following sections. (Note that some tasks require domain administrator privileges and cannot be delegated.)
Security Groups, Group Policy, and Access Control Lists
These features are described previously in this chapter, and form the mechanisms for the features described in the following paragraphs.
Built-in Security Groups
Windows 2000 has predefined security groups with special permissions already delegated to each group. Open the Active Directory Users and Computers snap-in to MMC. On the View menu, select Advanced Features . The predefined security groups are in the Builtin and Users folders.
To directly delegate control of one of these groups, open the property sheet of the group and click the Security tab. Add the group's manager to the access control list and check the appropriate privileges.
Delegation of Control Wizard
Open the Active Directory Sites and Services snap-in to MMC. Right-click an organizational unit and select Delegate Control . This wizard sets up user group permissions to administer specific sites and services. An example would be the right to create new remote access accounts.
Delegate Administration Wizard
Open the Active Directory Users and Computers snap-in to MMC. Right-click an organizational unit and select Delegate Control . This wizard sets up user group permissions to administer organizational units containing computers and user groups. An example would be the delegated right to create new user accounts.
Delegating Control of Group Policy Objects
Delegating administration via Group Policy involves the following three tasks, which can be performed together or separately, as your situation requires:
Managing Group Policy links for a site, domain, or organizational unit.
Creating Group Policy objects.
Editing Group Policy objects.
These tasks are described in more depth in "Defining Client Administration and Configuration Standards" in this book.