3. Delegating Control of OUs
In simple environments, one or a few systems
administrators may be responsible for managing all of the settings
within Active Directory. For example, a single systems administrator
could manage all users within all OUs in the environment. In larger
organizations, however, roles and responsibilities may be divided among
many different individuals. A typical situationis one in which a
systems administrator is responsible for objects within only a few OUs
inan Active Directory domain. Or, one systems administrator might
manage User and Group objects while another is responsible for managing
file and print services.
Fortunately, using the Active Directory Users And
Computers tool, you can quickly and easily ensure that specific users
receive only the permissions they need. In Exercise 2, you will use the Delegation of Control Wizard
to assign permissions to individuals.
Open the Active Directory Users And Computers administrative tool. Right-click
the Corporate OU within the North America OU and select Delegate
Control. This starts the Delegation of Control Wizard. Click Next to
begin configuring security settings. In the Users Or Groups page, click the Add button. In the Enter The Object Names To Select field, enter Account Operators and press Enter. Click Next to continue. In the Tasks To Delegate page, select Delegate The Following Common Tasks and place a check mark next to the following items: Create, Delete, And Manage User Accounts Reset User Passwords And Force Password Change At Next Logon Read All User Information Create, Delete, And Manage Groups Modify The Membership Of A Group
Click Next to continue.
The
Completing The Delegation of Control Wizard page then provides a
summary of the operations you have selected. To implement the changes,
click Finish.
|
Although the common tasks available through the
wizard are sufficient for many delegation operations, you may have
cases in which you want more control. For example, you might want to
give a particular systems administrator permissions to modify only
Computer objects. Exercise 3
uses the Delegation of Control Wizard to assign more granular
permissions.
Open the Active Directory Users And Computers administrative tool.
Right-click
the Corporate OU within the North America OU and select Delegate
Control. This starts the Delegation of Control Wizard. Click Next to
begin making security settings.
In the Users Or Groups page, click the Add button. In the Enter The Object Names To Select field, enter Server Operators and press Enter. Click Next to continue.
In the Tasks To Delegate page, select the Create A Custom Task To Delegate radio button, and click Next to continue.
In
the Active Directory Object Type page, choose Only The Following
Objects In The Folder, and place a check mark next to the following
items (you will have to scroll down to see them all):
User Objects
Computer Objects
Contact Objects
Group Objects
Organizational Unit Objects
Printer Objects
Click Next to continue.
In
the Permissions page, place a check mark next to the General option and
make sure the other options are not checked. Note that if the various
objects within your Active Directory schema had property-specific
settings, you would see those options here. Place a check mark next to
the following items:
Create All Child Objects
Read All Properties
Write All Properties
This
gives the members of the Server Operators group the ability to create
new objects within the Corporate OU and the permissions to read and
write all properties for these objects. Click Next to continue.
The
Completing The Delegation of Control Wizard page provides a summary of
the operations you have selected. To implement the changes, click
Finish.
