• Main Menu
  • How to Delegate Administrator Privileges in Active Directory


    The primary reason to create organizational units is to distribute administrative tasks across the organization by delegating administrative control to other administrators. Delegation is especially important when a decentralized administrative model is developed. Delegation of administration is the process of decentralizing the responsibility for managing organizational units from a central administrator to other administrators. The ability to establish access to individual organizational units is an important security feature in Active Directory. Users can control access to the lowest level of an organization without having to create many active directory domains.

    Authority delegated at the site level will likely span domains or conversely, may not include targets in the domain. Authority delegated at the domain level will affect all objects in the domain. Authority delegated at the organizational unit level can affect that object and all of its child objects or just the object itself.How to Delegate Administrator Privileges in Active Directory

    Delegation of control is the ability to assign the responsibility of managing Active Directory objects to another user, group, or organization. By delegating control, the need for multiple administrative accounts that have broad authority can be eliminated. Delegated administration in Active Directory helps ease the administrative burden of managing a network by distributing routine administrative tasks to multiple users. Basic delegated rights can be given to normal users, like create a user account or group account etc. and major domain-wide administration work can be delegated to senior/junior level administrator.

    Autonomy is the ability of administrators in an organization to independently manage:

    • All or part of service management (called service autonomy).
    • All or part of the data in the active directory database or member computers that are joined to the directory (called autonomy).

    Common Administrative Tasks

    Administrators routinely perform the following tasks in active directory:

    • Change properties on a particular container. For example, when a new software package is available, administrators may create a group policy that controls software distribution.
    • Create and Delete objects of a specific type. In an organizational unit, specific types may include users, groups, and printers. When the new employee joins the organization, for example, a user account is created for the employee and then the employee is added to the appropriate organizational unit or group.
    • Update specific properties on specific object types. In an organizational unit, this is perhaps the most common administrative task performed. Updating properties include tasks such as resetting passwords and changing an employee’s personal information, such as his/her home address and phone number, when he/she moves.

    Delegation of Administrative Control

    Use the delegation of control wizard to delegate administrative control of active directory objects such as organizational units. By using the wizard, users can delegate common administrative tasks such as creating, deleting, and managing user accounts.

    To delegate common administrative tasks for an organizational unit, perform the following steps:

    • Start the delegation of control wizard by performing the following steps:
      • Open Active Directory Users and Computers.
      • In the console tree, double click the domain node.
      • In the details menu, right click the organizational unit, click delegate control, and click next.
    • Select the users or group to which common administrative tasks will be delegated. To do so, perform the following steps:
      • On the Users or Groups page, click Add.
      • In the select Users, computers, or Groups, write the names of the users and groups to which control of the organizational unit has to be delegated, click OK and next.
    • Assign common tasks to delegate. To do so, perform the following common tasks:
      • On the tasks to delegate page, click delegate the following common tasks.
      • On the tasks to delegate page, select the tasks to be delegated and click OK.
    • Click Finish.

    Customizing Delegated Administrative Control

    In addition to using the delegation of control wizard to delegate a custom set of administrative tasks such as the creation, deletion, and management of user accounts, use the wizard to select a set of custom tasks and delegate control of only those tasks.

    For example, users can delegate control of all existing objects in an organizational unit and any new objects that are added or select the objects in the organizational unit to delegate administrative control of, such as only user objects in an organizational unit. Users can also specify that they want to delegate only the creation of the selected objects, the deletion of the object, or both.

    To delegate custom administrative tasks for an organizational unit, perform the following steps:

    • Start the Delegation of Control Wizard.
    • Select the users or groups to which administrative tasks will be delegated.
    • Assign the custom tasks to delegate. To do this, perform the following steps:
      • On the Tasks to Delegate page, click Create a custom task to delegate and click next.
      • On the Active Directory Object Type page, select one of the following tasks:
    • Click This folder, existing objects in this folder, creation of new objects in this folder, and click next.
    • Click Only the following objects in the folder, select the Active Directory object type that will delegate control, and click next.
      • Select the permissions to be delegated and click next.
    • Click Finish.

    Got Something To Say:

    Your email address will not be published. Required fields are marked *

    6 comments
    1. Jeff

      28 February, 2017 at 9:35 pm

      Where is there a list of what each item on the ACL controls? I want to grant a security group the rights to reset computer accounts. That’s all I want them to do, nothing else. What blocks do I check for that privilege?

      Reply
    2. semfred

      10 October, 2012 at 1:22 pm

      sir i have a problem, i succesfully delegated control to a user, name USER1. WHY is it that when i try to log on it say’s “you cannot log on because the logon method you are using is not allowed on this computer”

      Reply
    3. Lepide

      27 February, 2012 at 8:05 am

      Delegation of administration is really a fancy way of referring to establishing access control lists on organizational units and accounts in Active Directory. If we were to compare delegation of administration to a standard file and folder structure, you can see how the concept works.

      Assume that you have a folder structure where there is a top level folder, with two tiers of folders under it. The top level is called Data and the two tiers under the Data folder include Departments and HRData. The Departments folder also has other subfolders including Sales, Engineering, Finance, and Executives. If you want someone from the IT department to control all files for all departments, you would configure the permissions at the Departments level. If however, you wanted a user from the HR department to control the files under the HRData folder only, you would configure the permissions on the HRData folder, thus giving them access to all files stored under it.

      Delegation of Administration is similar. Let’s assume that you have a organizational unit (OU) structure such that the top level OU is named Employees and the child OUs are Departments and HRUsers. Departments also includes child OUs such as SalesUsers, EngineeringUsers, FinanceUsers, and ExecutiveUsers. If you wanted someone from the IT department to have the ability to reset the password for all employees in all departments, you would establish that delegation of administration at the Departments OU level. If however, you wanted a manager from the HR department to be able to reset the passwords for only the HR users, you would configure the delegation of administration on the HRUsers OU, thus giving them the ability to just reset passwords for these users.

      As you can see, delegation of administration is designed to allow domain admins the ability to offload specific tasks, to specific users/administrators, over specific objects within the Active Directory structure.

      Reply
      • Surjeet

        2 May, 2012 at 5:49 pm

        Thankyou so much for sharing the knowledge with us………

        can u please tell us hoe to set permission on a ou?

        Reply
    4. hailumebrahetu

      12 August, 2011 at 8:34 am

      sir I have one problem in my network,that is I can not manage one PC  application by administrator it can but by user account I can’t ? so how can solve it??
      thank you!!

      Reply
    5. SATHEESH KUMAR M

      28 June, 2011 at 12:16 pm

      Hi

      Is it Possible to allow only Software Installation Rights to a particular user? Restricting other Domain Controller Activities??

      Regards

      M.Satheesh Kumar
      Chennai, India.
      09841675034

      Reply
    Microsoft Active Directory
    179 queries in 0.594 seconds.