Information Technology Reference
In-Depth Information
perform on objects in that OU and even delegate other tasks to different users or groups. The
following are the most common tasks that can be delegated:
• Create, delete, and manage user accounts.
• Reset user passwords and force password change at next logon.
• Read all user information.
• Create, delete, and manage groups.
• Modify the membership of a group.
• Manage group policy links.
• Generate Resultant Set of Policy (Planning).
• Generate Resultant Set of Policy (Logging).
Three more predefined tasks can be delegated for the object class
inetOrgPerson, which is a user and contact class defined in Active
Directory for LDAP compatibility.
In addition to these predefined tasks, you can define custom tasks, which allow fine-grained
control over the management tasks a user can perform in an OU. When you create a custom
task, you must fully understand the nature of objects, permissions, and permission inheritance.
Even if you delegate control only by using predefined tasks, your understanding of how per-
missions and permission inheritance work is important. After all, the Delegation of Control
Wizard does nothing more than assign permissions for Active Directory objects to selected users
or groups.
Activity 4-2: Delegating Control of an OU
Time Required:
10 minutes
Objective:
Create a user and delegate control of an OU to that user.
Description:
Your responsibilities as IT administrator have been keeping you busy, and you're
trying to focus on plans for a sizable network expansion. You have been slowed considerably
because the Marketing Department is expanding, and you're fielding frequent requests to
create users and groups and reset forgotten passwords. You have hired a new technician and
think he's ready for additional responsibilities, so you decide to delegate control of user
accounts to him.
1. If necessary, log on to your server as Administrator, and open Active Directory Users and
Computers.
2. Right-click the
Operations
OU you created in Activity 4-1, point to
New
, and click
User
.
3. Type
Joe
in the First name text box,
Tech1
in the Last name text box, and
jtech1
in the User
logon name text box. Click
Next
.
4. Type
Password01
in the Password text box and again in the Confirm password text box.
Click to clear the
User must change password at next logon
check box. Click
Next
, and then
click
Finish
.
5. Right-click the
Marketing
OU and click
Delegate Control
to start the Delegation of Control
Wizard. Click
Next
.
6. Click
Add
. In the Enter the object names to select text box, type
jtech1
. Click
Check Names
,
and then click
OK
. Click
Next
.
7. Click the
Create, delete, and manage user accounts
check box. Click
Next
, and then click
Finish
.
8. Leave Active Directory Users and Computers open for the next activity.
Search WWH ::
Custom Search