Windows

Use delegated control to delete accounts in Active Directory

Delegated control is a great tool to help with the day-to-day housekeeping of Active Directory. Rick Vanover shows Windows admins how to use delegated control for account objects.

In the course of administering Active Directory, there are basically two types of people when it comes to utilizing the delegated control capabilities: People who use it a lot, and people who don't use it at all. In my previous Windows Server tip, I explained that it is a good idea to put Active Directory accounts into holding patterns with dsquery. When the time comes and you need to start deleting accounts in Active Directory, delegated control is a great way to make that happen. Delegation within Active Directory allows one or more tasks or actions to be permitted with rules set by administrators.

A good example of using delegation is giving the PC support team the ability to delete computer accounts within Active Directory to go with the day-to-day tasks of administering client computing devices. This logic can be applied to virtually everything in Active Directory, and it is relatively easy to set up.

Let's set up a few things to make this easy. First, the PC support team should be a global security group that contains all of the people who would be given this task. There are two ways to accomplish this task. The simplest approach is to have one group -- we'll call it Admin-PCSupport -- that has all of the PC support staff as members. A more granular approach would be to have a group -- we'll call it Admin-DelegatedTask-DeleteComputerAccounts -- that would contain all of the PC Support staff and possibly anyone else who may need to perform this type of task.

Once the group is identified, we have what we need to set up delegation. I'm going to use the Admin-PCSupport group as an example in this lab domain (RWVDEV.INTRA). For the computers organizational unit (OU), which is the default container for new computer accounts, we simply right-click as an administrator on that OU and select Delegate Control (Figure A). Figure A

Click the image to enlarge.
The Delegation Of Control Wizard will then prompt us to identify which tasks will be delegated, including the appropriate permissions. This can possibly allow the PC support team to create accounts, but maybe create another delegated control permission and assign another security group explicitly for the task of deleting computer accounts. This basically allows the granularity to be as customized as you want. Figure B shows these steps of the Delegation Of Control Wizard. Figure B

Click the image to enlarge.

How do you use delegated control in Active Directory for computer and user accounts? Share your tips in the discussion.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

1 comments
JonathanCraig
JonathanCraig

Hi Rick, Thank you for showing us to use the Delegation Wizard to delegate delete access. I have a related question, and that is - "How do I find out who is delegated what access in my Active Directory?" I ask because we have been delegating access for quite some time now, and while Active Directory has made it so easy to delegate access, because of group nestings, and inheritance, when we were trying to find out who can delete domain user accounts in a specific OU, we found that it was very difficult to try and get an accurate picture of who is delegated what access. One of the forums I'm on (www.ActiveDirSec.Org) has some interesting discussions and ideas on this subject, but since you are a TechRepublic expert, I thought I would ask you if you can help me figure this one out. This is a major pain-point for us, so hopefully you can help out. Thank you. Jonathan.

Editor's Picks