Delegated control is a great tool to help with the day-to-day housekeeping of Active Directory. Rick Vanover shows Windows admins how to use delegated control for account objects.
In the course of administering Active Directory, there are basically two types of people when it comes to utilizing the delegated control capabilities: People who use it a lot, and people who don't use it at all. In my previous Windows Server tip, I explained that it is a good idea to put Active Directory accounts into holding patterns with dsquery. When the time comes and you need to start deleting accounts in Active Directory, delegated control is a great way to make that happen. Delegation within Active Directory allows one or more tasks or actions to be permitted with rules set by administrators.
A good example of using delegation is giving the PC support team the ability to delete computer accounts within Active Directory to go with the day-to-day tasks of administering client computing devices. This logic can be applied to virtually everything in Active Directory, and it is relatively easy to set up.
Let's set up a few things to make this easy. First, the PC support team should be a global security group that contains all of the people who would be given this task. There are two ways to accomplish this task. The simplest approach is to have one group — we'll call it Admin-PCSupport — that has all of the PC support staff as members. A more granular approach would be to have a group — we'll call it Admin-DelegatedTask-DeleteComputerAccounts — that would contain all of the PC Support staff and possibly anyone else who may need to perform this type of task.Once the group is identified, we have what we need to set up delegation. I'm going to use the Admin-PCSupport group as an example in this lab domain (RWVDEV.INTRA). For the computers organizational unit (OU), which is the default container for new computer accounts, we simply right-click as an administrator on that OU and select Delegate Control (Figure A). Figure A
Click the image to enlarge.The Delegation Of Control Wizard will then prompt us to identify which tasks will be delegated, including the appropriate permissions. This can possibly allow the PC support team to create accounts, but maybe create another delegated control permission and assign another security group explicitly for the task of deleting computer accounts. This basically allows the granularity to be as customized as you want. Figure B shows these steps of the Delegation Of Control Wizard. Figure B
Click the image to enlarge.
How do you use delegated control in Active Directory for computer and user accounts? Share your tips in the discussion.