As a network administrator, any chance that you can get to reduce your workload is a chance worth taking—within reason, of course. One of the things that can take up too much of your valuable time is dealing with users who forget their passwords.

Put time back on your side by delegating this chore to someone else. While you might not have anyone in your organization who can help take some of the administration burden off your shoulders by reconfiguring your Active Directory tree for you, you can certainly find someone who can help users deal with password problems. Windows 2000 gives you the ability to delegate password authority to others in your organization through the Delegation Of Control Wizard. In this Daily Feature, I’ll show you how to make it work.

Delegation basics
In Windows NT 4.0, the ability to delegate control to subordinate administrators didn’t exist. If you ran Exchange Server 5.5, you could spread some of the work around because you could assign rights to servers and sites. Exchange 5.5 had its own accounts database to allow you to do this, but Exchange 5.5 rights didn’t translate into any authority over the NT 4.0 network.

With the introduction of Active Directory, Microsoft fixed this problem. Thanks to the ability to delegate control of Active Directory objects and actions in Windows 2000, you now have plenty of opportunities to lighten your workload by giving junior admins something else to do besides mucking up the settings in the DHCP scopes. You can delegate control over everything from simple tasks such as resetting user’s passwords, which I will get into shortly, to complex tasks such as managing the Active Directory (AD) replication topology and schedule.

You can delegate the administrative responsibility for a domain or an Organizational Unit to any user in your organization via the Delegation Of Control Wizard. Delegation of administrative duties can be accomplished in one of three ways:

  1. Delegation of control to change properties of an AD container
  2. Delegation of control to create and delete objects of a specific type under an Organizational Unit. Object types can include users, groups, computers, printers, etc.
  3. Delegation of control to change or update properties (can be specified) on objects (can also be specified) in a specified AD container.

The Delegation Of Control Wizard is simply an easy way to assign user permissions. You can opt to assign the permissions manually if you want to use the standard procedures.

All permissions assigned via delegation are, by default, inherited with all other permissions by child objects. If you delegate password-reset permissions at a domain level, the change will affect all containers within that domain. The exception to this rule is in cases where you have opted to manually prevent permission inheritance by deselecting the Allow Inheritable Permissions From Parent To Propagate To This Object option.

Delegation, like all permissions assignments, should be accomplished at the lowest possible level and with the least amount of privilege given. The only thing worse than giving too little in the way of privileges is giving too much.

Down to business
The process to delegate control and create a password administrator is fairly simple. To begin, you’ll need to open the Active Directory Users And Computers snap-in from one of your domain controllers. Once you’ve got it open, navigate the left pane and open the nodes until you get to the Organizational Unit (OU) you want to delegate control over. When you find the proper node, select it. If you want to delegate control for the entire organization, select the domain top node.

In my examples, I will be delegating control over the entire domain (test.local) and the Accounting OU. You can see my domain structure in Figure A. Depending on the level at which you are delegating, you’ll have a few different options available to you. I am going to look at delegating from both the domain and OU, starting with the domain first.

Figure A
Select the domain node where you want to delegate control.

In the left pane of the Active Directory Users And Computers console, select which object you want to delegate control over, right-click it, and select Delegate Control. Because we’re first going to delegate control over the entire domain, you should select and right-click the top icon in the left pane. You’ll then see the Delegation Of Control Wizard. As with most Wizards, the first thing you’ll see is an opening Welcome screen. Click Next to dismiss this page so you can get down to the business at hand.

You’ll then see the Users Or Groups page. On this page, you’ll add the users or groups to which you want to delegate control. Click Add to open up a standard directory listing dialog box that allows you to add the appropriate users and groups. After you’ve selected all the users and groups you want to add, Click Next.

You’ll then see the Tasks To Delegate page. Click the Create A Custom Task To Delegate radio button and then click Next to continue to the Active Directory Object Type page. Because you want to only delegate control over the user object, you’ll need to click the Only The Following Objects In The Folder radio button. Next, select User Objects from the list provided, as shown in Figure B.

Figure B
Select User Objects from the Active Directory Object Type window.

Click Next to move on to the Permissions page. From the Permissions page, select the Reset Password item. If Reset Password isn’t available, ensure that the General box is checked at the top of the page. After making your selection, click Next to go to the final page of the Wizard, the Completing The Delegation Of Control Wizard screen shown in Figure C. This screen shows you the selections you’ve made. If you want to make a change to a selection, just click the Back button to work your way backwards through the wizard. If you are satisfied with the changes, click Finish to complete the process. Alternatively, you can bail out of the whole process by clicking Cancel.

Figure C
Verify the choices you’ve made in the wizard before clicking Finish.

Differences when working with OUs
If you want to delegate password-reset authority over a specific OU rather than over the entire domain, the process is basically the same as I discussed above. However, there are a few differences. Although you can still delegate control in the same way you did at the domain level, it is actually a simpler process for most common tasks at the OU level. Start by selecting an OU from the left pane of the Active Directory Users And Computers MMC. Right-click it and select Delegate Control. Follow the Delegation Of Control Wizard just as you did in the above example.

As shown in Figure D, when you get to the Tasks To Delegate page of the Wizard, you’ll notice that the default tasks listed for delegation are much different than what you saw at the domain level. Select the Delegate The Following Common Tasks radio button and then select Reset Passwords On User Accounts from the list. After making your selection, click Next to complete the wizard. As before, you’ll have the opportunity to review your changes before committing to them.

Figure D
Delegating control over an OU requires you to make fewer choices than when you delegate control over a domain.

Checking to make sure everything worked
After you’ve finished with the Delegation Of Control Wizard, you can go back and verify that the control you wanted to delegate applied properly. To do so, right click the container in the left pane of the Active Directory Users And Computers MMC and select Properties. When the Properties page for the object appears, click the Security tab. Click Advanced to bring up the Access Control Settings for the object, as shown in Figure E. If you cannot select the Security tab of the Properties window, you’ll need to enable Advanced Features from the View menu of Active Directory Users And Computers.

Figure E
View the Access Control Settings for the container object to verify that the delegation worked properly.

Scroll through the Permission Entries list box until you find the user object to which you delegated control. When you’ve verified that the user has the Reset Password permission applied to User Objects, you can click OK to close the Access Control Settings window. If you want to remove the delegation, highlight the user object and click Remove.

With careful, diligent use of the delegation power inherent to Windows 2000, you can make your life as an Administrator much easier. Delegating control to subordinate admins is a good way to distribute the workload. Plus, it can be a relatively safe way for them to gain experience with Windows 2000 because they will only be able to perform the functions you have delegated to them.

One final tip for using this delegation method in the real world: If you have a group of power users that wants to be able solve some problems on their own, delegate some permissions to them. It will make them happy, while at the same time cutting down on the help desk call volume.