Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Default security concerns in Active Directory delegation

View products that this article applies to.


Microsoft Windows 2000 and Microsoft Windows Server 2003 include a Delegation wizard to facilitate the delegation of administrative rights over containers within Active Directory.

The Delegation wizard functions by providing administrators with a set of dialog boxes designed to specify the following items:
  • To whom the administrator wants to delegate authority.
  • The objects to which these users should gain authority.
  • The permissions the designated users have over these objects.
The Delegation wizard dynamically creates access control entries on the target container object according to the options specified in the wizard.

It is important to note that the Delegation wizard does not provide functionality to remove access control entries. If an administrator wants to reverse configuration settings created with the Delegation wizard, he or she must manually gain access to the Security Settings dialog box for the affected organizational unit and remove all added entries.

↑ Back to the top

More information

The following example demonstrates how the Delegation wizard creates access control list entries as a result of options selected:
  1. The administrator has previously configured a new Organizational Unit (OU). The OU contains all of the directory objects over which the administrator will delegate control.
  2. The administrator starts the Delegation wizard by right-clicking the OU, and then clicking Delegate Control.
  3. The Delegation wizard title dialog box appears, providing some introductory information about the wizard's functionality. Click Next to proceed.
  4. The administrator chooses the folder to which delegation will be applied.
  5. The administrator next specifies to whom delegation is going to be granted in the Users or Groups dialog box.
  6. The administrator is given the option to select the tasks to delegate. These tasks can be selected from a pre-compiled list of commonly delegated tasks, or the administrator can choose to create a custom task to delegate.
    1. If the administrator selects a common task, a summary screen is displayed in which the administrator can detail the changes to be made.
    2. If the administrator chooses to create a custom task to delegate, two dialog box are displayed in which the administrator can customize the delegated task:
      1. Level of delegation. The administrator can choose to delegate to the entire folder, or to specific objects within the folder.
      2. In the next dialog box, the administrator dictates the permissions the specified users will be able to exercise.
  7. A confirmation dialog box appears, detailing all of the options selected in the wizard. Confirming the changes completes the wizard, and adds all appropriate access control entries to the target Active Directory container.

↑ Back to the top


For more information about this topic in Windows 2000 Server, visit the following Microsoft Web site:
Best practice Active Directory Design for managing Windows networks
For more information about this topic in Windows Server 2003, visit the following Microsoft Web sites:

Best practices for delegating Active Directory administration: How delegation works in Active Directory

Best practices for delegating Active Directory administration: Case study: a delegation scenario

↑ Back to the top

Keywords: KB235531, kbinfo

↑ Back to the top

Article Info
Article ID : 235531
Revision : 9
Created on : 10/11/2007
Published on : 10/11/2007
Exists online : False
Views : 538