Re: Delegating Control...

From: "JPolicelli" <JPolicelli@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 16 Sep 2005 16:26:11 -0700

Have a read through Sanjay Tandan's Best Practices for Delegating Active
Directory Administration document published on Microsoft's site. The Best
Practices for Delegating Active Directory Administration: Appendices has a
lot of details that you may find helpful for this.

"Jason Tan (MSFT)" wrote:

> Hi Harrision,
>
> Thanks for your reply!
>
> Based on my search, I cannot find the document which describes all the
> permissions since it could be much more due the different requirement. You
> may consider which permission should be granted to objects to custom a
> delegate of control.
>
> 1. Join Computers to the domain
> 2. Move computers between OU's
> 3. Reset user passwords
> 4. Create Exchange Mailboxes
> 5. Add and remove groups to users.
>
> I would like to provide you with some information for your reference:
>
> 1. Join Computers to the domain.
>
> By default, domain user has permission to join 10 clients into domain.
>
> 2. Move computers between OU's
>
> You may want to delegate user/group create, list, view permission to the
> two OUs.
>
> 3. Reset user passwords
>
> This is a common task which you may delegate to users/groups. Please refer
> to "Reset user passwords and force password change at next logon" option in
> common task.
>
> 4. Create Exchange Mailboxes
>
> You may attempt to use common task "create, delete, and manage user
> accounts."
>
> 5. Add and remove groups to users.
>
> You may want to delegate users/groups full control permission to the groups
> object.
>
> More information for your reference:
> Step-by-Step Guide to Using the Delegation of Control Wizard
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
> directory/activedirectory/stepbystep/ctrlwiz.mspx
>
> Use this wizard to delegate administrative control
> http://www.windowsitpro.com/Article/ArticleID/22555/22555.html?Ad=1
>
> Delegation of Control Wizard
> http://www.serverwatch.com/tutorials/article.php/10825_1472441_2
>
> Hope the information helps. If there is anything that is unclear, please
> feel free to let me know.
>
> Thanks & Regards,
>
> Jason Tan
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
> --------------------
> | Reply-To: "Harrison Midkiff" <HMidkiff@xxxxxxxxxx>
> | From: "Harrison Midkiff" <HMidkiff@xxxxxxxxxx>
> | References: <ODLlinWuFHA.2064@xxxxxxxxxxxxxxxxxxxx>
> <EBD19F1E-4898-40BF-B668-F2380D2F4442@xxxxxxxxxxxxx>
> <bIxy4cduFHA.3640@xxxxxxxxxxxxxxxxxxxxx>
> | Subject: Re: Delegating Control...
> | Date: Thu, 15 Sep 2005 18:48:29 -0400
> | Lines: 124
> | Organization: Audio Visual Innovations, Inc.
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
> | X-RFC2646: Format=Flowed; Original
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> | Message-ID: <#Jv#XekuFHA.3792@xxxxxxxxxxxxxxxxxxxx>
> | Newsgroups: microsoft.public.win2000.active_directory
> | NNTP-Posting-Host: 208.5.55.190
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.win2000.active_directory:33561
> | X-Tomcat-NG: microsoft.public.win2000.active_directory
> |
> | Jason:
> |
> | Thanks for replying to my post.
> |
> | I know how to do the Delegation of Control, but the descriptions of all
> the
> | permissions are not very good. Do you know any place that has good
> | descriptions of these?
> |
> | Harrison Midkiff
> | "Jason Tan (MSFT)" <v-jasont@xxxxxxxxxxxxxxxxxxxx> wrote in message
> | news:bIxy4cduFHA.3640@xxxxxxxxxxxxxxxxxxxxxxxx
> | > Hello harrison,
> | >
> | > Thanks you posting!
> | >
> | > I agree with kapil. You may follow his helpful suggestion. More
> | > information
> | > below is for your reference:
> | >
> | > 888204 How to use the Delegation of Control Wizard to grant permissions
> to
> | > a
> | > http://support.microsoft.com/?id=888204
> | >
> | > 315676 HOW TO: Delegate Administrative Authority in Windows 2000
> | > http://support.microsoft.com/default.aspx?scid=kb;en-us;315676
> | >
> | > 883381 Delegating administrator roles to an administrative group can
> grant
> | > the
> | > http://support.microsoft.com/?id=883381
> | >
> | > 304935 How to set Exchange Server 2000 and 2003 mailbox rights at the
> time
> | > of
> | > http://support.microsoft.com/?id=304935
> | >
> | > Hope the information helps. If there is anything that is unclear, please
> | > feel free to let me know.
> | >
> | > Thanks & Regards,
> | >
> | > Jason Tan
> | >
> | > Microsoft Online Partner Support
> | > Get Secure! - www.microsoft.com/security
> | >
> | > =====================================================
> | >
> | > When responding to posts, please "Reply to Group" via your newsreader so
> | > that others may learn and benefit from your issue.
> | >
> | > =====================================================
> | > This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | >
> | >
> | >
> | > --------------------
> | > | Thread-Topic: Delegating Control...
> | > | thread-index: AcW5uks0VtgKAxwDQMKh1bAO+sGjUQ==
> | > | X-WBNR-Posting-Host: 203.99.195.2
> | > | From: "=?Utf-8?B?a2FwaWw=?=" <kapil@xxxxxxxxxxxxxxxxxxxxxxxxx>
> | > | References: <ODLlinWuFHA.2064@xxxxxxxxxxxxxxxxxxxx>
> | > | Subject: RE: Delegating Control...
> | > | Date: Wed, 14 Sep 2005 22:57:02 -0700
> | > | Lines: 33
> | > | Message-ID: <EBD19F1E-4898-40BF-B668-F2380D2F4442@xxxxxxxxxxxxx>
> | > | MIME-Version: 1.0
> | > | Content-Type: text/plain;
> | > | charset="Utf-8"
> | > | Content-Transfer-Encoding: 7bit
> | > | X-Newsreader: Microsoft CDO for Windows 2000
> | > | Content-Class: urn:content-classes:message
> | > | Importance: normal
> | > | Priority: normal
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | > | Newsgroups: microsoft.public.win2000.active_directory
> | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | > | Xref: TK2MSFTNGXA01.phx.gbl
> | > microsoft.public.win2000.active_directory:33520
> | > | X-Tomcat-NG: microsoft.public.win2000.active_directory
> | > |
> | > | Hello harrison,
> | > |
> | > | you can definatly find these options but for that you have to do a
> | > customize
> | > | delegation. that will give you all the options. Also be careful about
> | > the
> | > | adminSDHolder
> | > |
> | > | you can also go through article: KB 817433
> | > |
> | > | need help mail me.
> | > |
> | > | "Harrison Midkiff" wrote:
> | > |
> | > | > Hello:
> | > | >
> | > | > After a series of errors due to to many people having domain admin
> | > accounts
> | > | > I have finally decided to run the Delegation of Control wizard and
> | > restrict
> | > | > users access. I created a group and want to only allow them to do
> the
> | > | > following.
> | > | >
> | > | > 1. Join Computers to the domain
> | > | > 2. Move computers between OU's
> | > | > 3. Reset user passwords
> | > | > 4. Create Exchange Mailboxes
> | > | > 5. Add and remove groups to users.
> | > | >
> | > | > I tried to use the Delegation of Control wizard but it didn't seems
> to
> | > give
> | > | > me these options. Does anyone have experience running this who
> could
> | > help
> | > | > me out. Thanks.
> | > | >
> | > | > Harrison Midkiff
> | > | >
> | > | >
> | > | >
> | > |
> | >
> |
> |
> |
>
>
.

Follow-Ups:
- Re: Delegating Control...
  - From: Jason Tan (MSFT)

References:
- Delegating Control...
  - From: Harrison Midkiff
- RE: Delegating Control...
  - From: Jason Tan (MSFT)
- Re: Delegating Control...
  - From: Harrison Midkiff
- Re: Delegating Control...
  - From: Jason Tan (MSFT)

Prev by Date: Re: I need help creating forest trusts
Next by Date: DNS and Active Directory
Previous by thread: Re: Delegating Control...
Next by thread: Re: Delegating Control...
Index(es):
- Date
- Thread

Relevant Pages

Re: Intra-Thread communication
... basically you create a delegate, a method with that signature and then from ... control in the form. ... procfilehandler = new ProcessedFileHandler; ... > box back in the Winform. ...
(microsoft.public.dotnet.languages.csharp)
Re: Intra-Thread communication
... basically you create a delegate, a method with that signature and then from ... control in the form. ... procfilehandler = new ProcessedFileHandler; ... > box back in the Winform. ...
(microsoft.public.dotnet.framework)
Re: Intra-Thread communication
... basically you create a delegate, a method with that signature and then from ... control in the form. ... procfilehandler = new ProcessedFileHandler; ... > box back in the Winform. ...
(microsoft.public.vsnet.general)
Re: advanced question: feasability of using delegates on original obje
... why not take a look at some of the "AJAX" ... and adds this to the control render: ... But there's one problem - delegate accumulation. ... objects or session into a state where calling delegates / accessing the ...
(microsoft.public.dotnet.framework.aspnet)
RE: Delegated permission to add computers
... Allow - groupName - Full Control - Computer Objects ... You can also delegate this using the wizard; you just need to add computer ... "Jeff" wrote: ... Am I missing a permission somewhere? ...
(microsoft.public.windows.server.active_directory)