locked
Delegate Admin Privileges RRS feed

  • Question

  • Hello there,

    We wish delegate administrative privileges to move user/computer objects from one OU to another. Additionally, we wish to delegate rights to write new value to the user class attribute-proxyaddress. Appreciate if someone can shed some light on how to accomplish this...Thanks,

    CastAway

    • Edited by Venksel Friday, July 16, 2010 8:56 PM .
    Friday, July 16, 2010 8:46 PM

Answers

  • Hi,

    You may referred the following procedure to run the delegation:

    • Start the delegation of control wizard by performing the following steps:
      • Open Active Directory Users and Computers.
      • In the console tree, double click the domain node.
      • In the details menu, right click the organizational unit, click delegate control, and click next.
    • Select the users or group to which you want to delegate common administrative tasks. To do so, perform the following steps:
      • On the Users or Groups page, click Add.
      • In the select Users, computers or Groups, write the names of the users and groups to which you have to delegate control of the organizational unit, click OK. And click next.
    • Assign common tasks to delegate. To do so perform the following common tasks.
      • On the tasks to delgate page, click delegate the following common tasks.
      • On the tasks to delegate page, select the tasks you want to delegate, and click OK.
    • Click Finish

    To delegate administrator to move user/computer objects, you can use advance mode in AD User and Computer and run delegation. It should have write privilege in both OU for the object moving. For writing new values, the administrators account should have delegated values on the user account (Full privilege in specific OU as well.

    • Proposed as answer by LikeToCode Sunday, July 18, 2010 2:17 PM
    • Marked as answer by Bruce-Liu Wednesday, July 28, 2010 2:57 AM
    Friday, July 16, 2010 10:48 PM

All replies

  • Hi,

    You may referred the following procedure to run the delegation:

    • Start the delegation of control wizard by performing the following steps:
      • Open Active Directory Users and Computers.
      • In the console tree, double click the domain node.
      • In the details menu, right click the organizational unit, click delegate control, and click next.
    • Select the users or group to which you want to delegate common administrative tasks. To do so, perform the following steps:
      • On the Users or Groups page, click Add.
      • In the select Users, computers or Groups, write the names of the users and groups to which you have to delegate control of the organizational unit, click OK. And click next.
    • Assign common tasks to delegate. To do so perform the following common tasks.
      • On the tasks to delgate page, click delegate the following common tasks.
      • On the tasks to delegate page, select the tasks you want to delegate, and click OK.
    • Click Finish

    To delegate administrator to move user/computer objects, you can use advance mode in AD User and Computer and run delegation. It should have write privilege in both OU for the object moving. For writing new values, the administrators account should have delegated values on the user account (Full privilege in specific OU as well.

    • Proposed as answer by LikeToCode Sunday, July 18, 2010 2:17 PM
    • Marked as answer by Bruce-Liu Wednesday, July 28, 2010 2:57 AM
    Friday, July 16, 2010 10:48 PM
  • Hi,

    adding to Jacky please also have a look at the following articles:

    Delegating Authority in Active Directory
    http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx

    Best Practices for Delegating Active Directory Administration
    http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en

    Achieving Autonomy and Isolation with Forests, Domains, and Organizational Units
    http://technet.microsoft.com/en-us/library/bb727032.aspx

    hope that helps,

    Gunter

     


    Gunter Danzeisen - Blog: fabrikam.wordpress.com
    • Proposed as answer by LikeToCode Sunday, July 18, 2010 2:17 PM
    Saturday, July 17, 2010 8:11 PM
  • Hi,

     

    Please have a look at this thread:

     

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/f1d6d833-f3d1-4ef9-a717-1f685e99b1a2

     

    Hope it helps.

     

    Regards,

    Bruce

    Monday, July 19, 2010 8:50 AM