How to delegate basic server administration to Junior Admins

 

Here is a complete list of articles for delegating controls to admins:

 

You can delegate permissions to junior Admins using MMC Taskpads.

How to use Adminpak.msi to install a specific server administration tool in Windows
http://support.microsoft.com/?kbid=314978

HOW TO: Delegate Administrative Authority in Windows 2000
http://support.microsoft.com/?kbid=315676

HOW TO: Create and Edit a Taskpad View in a Saved MMC Console in Windows 2000
http://support.microsoft.com/?kbid=321143

Default Security Concerns in Active Directory Delegation
http://support.microsoft.com/?kbid=235531

Delegate Control Wizard Cannot Be Used to Remove Groups or Users
http://support.microsoft.com/?kbid=229873

Administrative Tool Menu Is Sensitive to User’s Permissions
http://support.microsoft.com/?kbid=214739

In a Server 2003 domain, you can ignore the part about editing dssec.dat:

How To Delegate the Unlock Account Right
http://support.microsoft.com/?kbid=294952

A must read for Domain Administrators:

Design Considerations for Delegation of Administration in Active Directory

*Achieving Autonomy and Isolation with Forests, Domains, and Organizational Units*
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/addeladm.mspx

Using scripts you can set delegation on properties if you want:

Part 1
http://www.microsoft.com/technet/scriptcenter/topics/security/exrights.mspx

Part 2
http://www.microsoft.com/technet/scriptcenter/topics/security/propset.mspx

You can find security attributes for each object in Chapter -6 of *Inside Active Directory-Second Edition*
Here it is: An online version of this book.

http://www.readol.net/books/computer/Windows/Inside.Active.Directory.A.System.Administrators.Guide.Second.Edition/0321228480/ch04lev1sec3.html

Leave a Reply

Your email address will not be published. Required fields are marked *