|
A247 - Delegate Control |
Last Updated:
05/04/2009
|
Background
- Often the network administrator is too busy drinking coffee and day
trading on the stock market to be bothered by adding/deleting/managing users
within an OU.
- Is there something that can be done to relieve admin from all this back
breaking work?
- Fortunately, yes. The administrator can delegate control to other
trusted users, and Windows 2008 Server has a wizard that steps you through
the process.
Working on the Server Computer
Part I - 
- Go back to the SoftwareUnit OU that you created in a previous lab.
- Poke around until you find out how to launch the "Delegation of
Control Wizard" on the SoftwareUnit OU.
- Delegate the creation, deletion and managing of user accounts only within
the SoftwareUnit to Kim Harris.
But use your head!
- One
of our network administration principles says: avoid assigning rights directly to a user, assign them
to other objects (e.g., security groups) and then associate a user with that
other object.
- Later on,
if you need to change which user has those assigned rights, you just change
who is associated with that other object.
- Okay, if you don't want to assign rights directly to a user object, to which object in the SoftwareUnit should you delegate control?
- Once you figure that out, use the delegate control wizard to delegate
control to that object. If you can't figure it out ask for help.
- Then associate Kim Harris with that other object.
- Finally, in the description field of this other object, add the following
description:
"create/delete/manage users within the SoftwareUnit OU"
Working on the Client Computer
Part II
- On your client machine, log out and log in as Kim Harris
You're going to run Active Directory Users and Computers administrative
tool from the client machine.
- Click Start | All Programs | Accessories | Run
- in the Run edit box type: mmc
(mmc stands for Microsoft Management Console)
- When the mmc comes up
- Click: File | Add/Remove Snap-in...
- From the available snap-ins, Add the Active Directory Users and Computers
administrative tool
- Use this tool to create a new user inside the SoftwareUnit OU
- If you're having trouble, ask for help.
- Show me that you (logged in as Kim Harris) can create and delete users
from the SoftwareUnit OU
- Also, try to delete the lowdog user from the DogPound OU.