Delegating in AD
To delegate administrative tasks in AD, you manage AD objects' ACLs. Each task has an associated permission. For example, the task of resetting a password has the Reset Password permission, which you can allow or deny (explicitly or by inheritance), just like the Read or Write permissions on a file or folder.
You access an AD object's ACL just as you would access a file's or folder's ACL. First, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, choose the View menu, and select Advanced Features. Now, when you right-click the AD object and choose Properties, you'll see a Security tab, which is the ACL Editor interface.
The ACL Editor interface contains several layers of dialog boxes. The first dialog box displays basic information about the permissions templates assigned to particular security principals (e.g., users, groups, computers). You'll notice minor interface differences between the administrative tools in Windows Server 2003 and Windows 2000 Server. (Figure 1 shows the Windows 2003 interface.) For example, in Windows 2003, inheritance is controlled only in the Advanced Security Settings dialog box, but in Win2K, you can access the inheritance check box in both the Security Settings and Advanced Security Settings dialog boxes. Also, if a security principal has permissions that fall outside the standard permission templates that appear in the dialog box, Win2K alerts you with fine print at the bottom of the dialog box stating that the dialog box doesn't display all existing permissions. That information is easy to miss in Win2K. Windows 2003 adds a permissions template called Special that you're more likely to notice as you scroll through the permissions assigned to an account. Note, however, that Microsoft has placed the Special template at the bottom of the permissions list, so you need to scroll down to see it.
Clicking Advanced on the Security tab takes you to the second dialog box. Again, you'll notice differences between Windows 2003's Advanced Security Settings and Win2K's Access Control Settings dialog boxes. Windows 2003's Advanced Security Settings dialog box, which Figure 2 shows, introduces the Inherited From column, which lets you more easily determine at which point in an OU tree a particular permission was applied. Another welcome addition in Windows 2003 is the Default button, which wipes out the ACL and replaces it with the default ACL that the Schema defined for the object. Finally, the new Effective Permissions tab lets you evaluate the resultant permissions for a specific security principal.
When you add or edit a permission entry in the Permission entries list, the Permission Entry dialog box—the third level in the security dialog box chain—appears. This dialog box, which displays the most granular object and property permissions, hasn't changed significantly from Win2K to Windows 2003.
The Delegation of Control Wizard
Knowing about the ACL Editor dialog boxes is helpful—as is the functionality of the Effective Permissions tab—but I don't recommend that you use these dialog boxes to implement delegation. Because they expose too much granularity, simple mistakes can easily occur and lead to disasters.
The Delegation of Control Wizard masks the complexities of ACL modification. To launch the wizard, you right-click a major container (e.g., site, domain, OU) and choose Delegate Control. Other AD objects (e.g., users, groups) don't provide the Delegate Control option. You might correctly assume that all AD objects have ACLs and therefore support delegation, but modifying ACLs on individual leaf objects in AD isn't a good idea. Such modifications would become unruly and would be difficult to document, analyze, and troubleshoot. I recommend using containers as points of delegation, then letting ACL inheritance modify the ACLs of the objects within those containers. Microsoft encourages this practice by displaying the Delegate Control option on only a few major containers.
)
G McLeroy January 13, 2004