By using the Delegate Control option from a container, you're automatically specifying the scope of the delegation. The wizard asks you to specify
- to whom you're trying to grant control. You specify this entity by adding security principals, specifically the administrative group that represents the role. Figure 3 shows the wizard screen in which you add these security principals.
- the type of control the security principals should have. You'll notice that the wizard uses the word task, as Figure 4 shows. You can select from a list of what the wizard categorizes as common tasks, or you can create a custom task. Your definition of common tasks will likely differ from these defaults. But as you'll see in a moment, you can customize the Delegation of Control Wizard to display tasks that are common for you.
So, even the wizard is following best practice—a top-down implementation of Task, Role, Scope. After you specify these three delegation components, the wizard modifies the ACL on the container accordingly.
Customizing Delegation Interfaces
Unfortunately, the Delegation of Control Wizard's limited list of common tasks oversimplifies delegation to the point that the wizard becomes useless for any thoroughly thought-out delegation plan. For example, one common administrative task is unlocking accounts that have been locked by a user who has forgotten his or her password. Another example is password resets. When an administrator resets a user password, best practice is to require the user to change the password at his or her next logon. This task isn't available in Win2K's Delegation of Control Wizard. (However, this task is available in Windows 2003's Delegation of Control Wizard.) Strictly controlling the deletion of objects—especially of users, groups, and computers—is also common, particularly in larger organizations, because the deletion of an object results in the loss of its SID. The wizard's common task provides for the creation, management, and deletion of user objects, but what if you want to divide those tasks?
To customize the tasks that the wizard provides, you can modify the delegwiz.inf file, which resides in the hidden \%windir%\inf folder. The delegwiz.inf file has a simple structure in which each common task is defined by a template that provides the task with a user-friendly name and details the ACL changes that the wizard must make to implement the delegation. Near the top of the delegwiz.inf file is a section labeled DelegationTemplates. The Templates parameter that follows lists the templates in the file. If you add or remove a template, you must add or remove the template name from this list.
Listing 1 shows a template that's part of the standard delegwiz.inf file. The code at callout A in Listing 1 states that the template will apply when you invoke the wizard from a domain, OU, or container object. The code at callout B contains a user-friendly description of the task. The code at callout C indicates that if the task is selected in the Delegation of Control Wizard, the wizard will modify permissions on the scope container and on user objects. A permissions template exists for the scope and for the user objects. The scope permissions template permits the creation and deletion of user objects. The user objects permissions template assigns full control (i.e., GA in Listing 1) to all properties of user objects.
By using the templates that Listing 2 shows, you can implement two of the common tasks that Microsoft missed when it designed the wizard. You'll need to add templatecustom01 and templatecustom02 to the list in the Templates parameter of the DelegationTemplates section. You must modify delegwiz.inf on the computer from which you administer AD. If you want multiple administrators to use a custom delegwiz.inf file, distribute it appropriately. A service pack or OS upgrade could potentially overwrite your file, so be sure to back it up. After you customize your Delegation of Control Wizard, you'll be able to easily delegate control without having to dig into the AD objects's ACLs and risk mistakes.
For more information about the structure of delegwiz.inf, check out the Microsoft article "HOWTO: Customize the Task List in the Delegation Wizard" (http://support.microsoft.com/?kbid=308404). You can find information about specific Lightweight Directory Access Protocol (LDAP) property and object names and permissions specifiers at TechNet and the Microsoft Developer Network (MSDN).
Missing Permissions
One unfortunate characteristic of the ACL Editor in both Windows 2003 and Win2K is that it doesn't show you all available permissions. The reason is that far too many exist. That reason is understandable, but what if you assign a permission but can't see it in the UI? By modifying dssec.dat, a text file in the \system32 folder, you can determine which permissions appear in the ACL Editor. The dssec.dat file is divided into sections, each of which displays a property. A property value of 7 means hide, and a property value of 0 (or no mention of the property at all) means show. Listing 3 shows part of the [user] section of a sampledssec.dat file.
In the [user] section, the property lockoutTime is set to 7, so it won't appear in the ACL Editor. Changing that property to 0 causes the property to appear, as Figure 5 shows. Windows 2003's dssec.dat file doesn't include lockoutTime under the [user] section, so the property does appear in the ACL Editor.
The dssec.dat file also determines which properties appear in the custom tasks portion of the Delegation of Control Wizard. As with delegwiz.inf, you must modify dssec.dat on the machine from which you administer AD. You should back up dssec.dat so that you're safe in the event of a service pack or upgrade overwrite. If you customize delegwiz.inf so that you can easily delegate otherwise unavailable tasks, you should ensure that dssec.dat makes visible the permissions you're setting. For example, if you use the second template in Listing 2 to provide an Unlock locked user accounts task, be sure to set lockoutTime to 0 in dssec.dat.
Eliminate Human Error
By carefully planning your delegation and distributing customized dssec.dat and delegwiz.inf files that provide for the implementation of that model, you create an environment that's more productive and less conducive to human error. If you're going to manually delegate control over AD and your organization's roles group tasks in a way that differs from the way that the Delegation of Control Wizard groups tasks, these techniques can make a world of difference.
End of Article
)
G McLeroy January 13, 2004