Active Directory management in complex environments relies on the concept of delegation. In AD, it is easy to delegate management activities. Delegations can be performed at several levels: sites, organizational units, or even entire domains.
TIP
Delegation is mostly done with organizational units. Sites and domains should rarely be delegated.Delegation is performed through the Delegation of Control Wizard. In addition to the delegation of control, you often have to create custom consoles to give delegated administrators access to the objects you have delegated to them. If the console is based on a particular snap-in, you will also have to make sure it is installed on the user’s computer before they can use the custom console.
SECURITY SCAN You can also perform some degreeof delegation through the use of Windows Server’s built-in groups. Windows Server includes special groups for Account, Backup, Network Configuration, Group Policy, DNS, Print, and Server administration as well as Performance Monitoring, Certificate Publishing, and Help Services management. These groups should be used in conjunction with the AD Delegation Wizard to delegate operations in AD. To delegate rights in Active Directory:
1.Begin by launching theActive Directory Users and Computersportion of the Global MMC.
2.Locate the object you want to delegate and right-click on it to selectDelegate Controlfrom the context menu. This launches the Delegation of Control Wizard. ClickNext.
3.Click theAddbutton to select the groups you want to delegate to. Type the name of the group and click
Check Names. Select the proper group from the results and clickOK. ClickNext.
4.Select the tasks you want to delegate and click Next. Alternatively, you can create a custom task to delegate; this will change the behavior of the wizard and ask you which specific task you want to delegate on which object type.
5.ClickFinishto close the wizard and complete the delegation.
To create a custom console, you need to start the console program in authoring mode in the same way asProcedure GS-17:
1.Open a command console and run the following command(the/aparameter is only required if you are not logged in as an administrator):
mmc /a
2.This launches an empty MMC. Move to theFile menu and selectAdd/Remove Snap-in. In the Snap-indialog box, click theAddbutton. Select the snap-in or snap-ins you require—for example, Active Directory Users and Computers.ClosetheAdd Snap-indialog box when done.
3.Many snap-ins include extensions. To view extensions, use theExtensionstab. Deselect all of the extensions that are not required. For example, if you are delegating user management in AD, you do not need any of the Active Directory Users and Computers extensions. ClickOKwhen done. 4.Save your console (File | Save) and give it an
appropriate name. Select the OU you want to delegate, right-click on it, and selectNew Window from Herefrom the context menu. Close the former window so that only the new window is open. 5.Next, create a Taskpad view for the console.
Right-click on the OU and chooseNew Taskpad Viewfrom the context menu. This launches the Taskpad Wizard. ClickNext.
4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
6.Select the list format for the console and the style for task descriptions. ClickNextwhen done. 7.Set the task view forAll tree items that are the
same type as this tree itemand clickNext. 8.Name the Taskpad view and give it a description.
ClickNext.
9.Make sure theStart New Task Wizardoption is checked and clickFinishto complete the Taskpad. 10.TheNew Task Wizardwill launch. ClickNext.
SelectMenu Commandsand clickNext. You can also add navigation tasks or scripted commands. To add navigation tasks, you must have added the appropriate OUs to your Favorites first.
11.SelectList in the details paneand click the menu task required for the delegation, then clickNext. 12.Add the appropriate icon and clickNext. Click
Finishto complete the task creation. If you need to add another task, checkRun this Wizard again. Savethe console again.
13.Set the view options for this window. You can remove a number of items, such as the console tree, standard menu, standard toolbar, and so on. Move to theViewmenu and selectCustomize. Deselect all of theitemsyou do not deem necessary for console users. ClickOKwhen done.
TIP
This dialog box is live; when you deselect an item, you immediately see the result in the console behind the dialog box.14.Finally, you need to customize the console. Move to theFilemenu and selectOptions. Here you can type in aconsole description, assign anew icon(the Shell32.dll file contains several icons that can be used to customize MMCs), and determine the console operation mode. There are four console operation modes:
• Author mode Gives you complete control of the MMC.
• User mode, full access The same as author mode, but users cannot add snap-ins, change options, and create Favorites or Taskpads.
• User mode, limited access, multiple
windows Gives access only to the selected items when the console was saved. Users can create new windows, but cannot close any previously saved windows.
• User mode, limited access, single window Same as preceding, but users cannot create new windows. 15.For single-purpose consoles, selectUser mode,
limited access, single window. ClickOKwhen done.Saveand close the console.
Test the console to ensure it operates as designed. Open it in operation mode (as opposed to authoring mode) by double-clicking on its icon.
TIP
There are a lot of different options to use for Taskpad creation. Take the time to try them out to view the results. This will help you identify those that suit your environment best.You can distribute the console to a group by sending them the console file, but if the console is based on a snap-in they do not have installed, you will need to install the snap-in first. This can be done through Group Policy using software distribution. If you choose to use Group Policy for snap-in installation, you can include the console as well in the same Windows Installer executable (see Procedure DC-15). 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4