|
|
The ability to delegate administrative responsibility is a major strength of Windows 2000/Server 2003. This delegation can be set at the domain, organizational unit, or object level and involves the assignment of appropriate permissions ranging from Read-Only to Full Control. As a general rule, objects should be placed in OUs prior to delegation. For example, by placing all printers in an OU, it is possible to provide permissions to a group of users to manage these devices. All users in the Sales department might be in another organizational unit. A trusted administrator can then be delegated to manage the user accounts. Obviously, responsibility must be delegated with care.
Two best practices should be used when delegating authority: Delegate at the organizational unit level whenever possible for ease of permission tracking; and use the Delegation of Control Wizard as follows:
Open the Active Directory Users and Computers snap-in.
Right-click the predefined organizational unit 
select Delegate Control (Figure 6.24).
Select the user(s) or group(s) to whom authority is to be delegated (Figure 6.25).
For common tasks, select from the items listed; for expanded and specialized authority, click Create a custom task to delegate (Figure 6.26).
If Custom Tasks was selected, mark those items to which delegated authority is to be granted (Figure 6.27).
Select the permission level that is to be delegated (Figure 6.28).
 |
|
|
| Top |