While there’s more than one way to delegate control of an Organisational Unit in Active Directory this post will be looking at the Delegation of Control Wizard for delegation purposes.
(Designing and implementing a strategy for the delegation of administration is not something to be taken lightly; it needs careful planning and consideration and is beyond the scope of this simple two part series aimed at beginners).
I’ll start off with a simple OU delegation scenario to be implemented and then follow it up with how to implement the delegation in Active Directory using the Delegation of Control Wizard. Our scenario also requires us to set an explicit deny permission but that’ll be covered in part 2.
An Example Delegation Scenario
Let’s say we have an IT Services OU in our structure with sub-OUs called Helpdesk, Technicians and Network Admins, as illustrated in the diagram below.
Now, in our delegation scenario we want the Helpdesk team to be able to change password for all IT Users except the Network Administrators.
Implementing the Delegation Scenario
There’s bound to be a team of Helpdesk operators, right? It would be impractical to delegate the permission to each team member separately, especially since they’re all getting the same permissions. Instead, what we do is create a security group, called helpdesk_team for example, and make all the Helpdesk staff’s user accounts members of this group. We then delegate the permissions to the helpdesk_team group.
Let’s go ahead and fire up the Delegation of Control Wizard. Right-click on the “IT_Services” OU in Active Directory Users and Computers and select “Delegate Control…”.
Click “Next” on the delegation wizard’s first screen.
Click “Add” on the Users or Groups page
Here we enter the name of our security group that we want to delegate permissions to. That’s “helpdesk_team” in our example. Click on “Check Names”, verify the name of the group has resolved correctly and click on “OK”.
Click on Next
This is where we choose the permissions we want to delegate to our group. In a production environment you’re likely to delegate a few more tasks to your helpdesk group but we’ll stick to our simple scenario for this post. Hence, we select “Reset user passwords and force password change at next logon”. Click on “Next” and then “Finish” to close the wizard.
Delegating permissions to the “IT_Services” OU means the permissions are inherited by the sub-OUs which includes “Netword_Admins”. But our delegation scenario specifically says the Helpdesk team are not supposed to be able to reset passwords for Network Administrators. We prevent them from doing so by setting what is known as an Explicit Deny Permission on the “Network_Admins” OU, coming up in part 2.