Server 2008 provides a powerful delegation of control wizard that can be used to assign permissions to users and groups. This article will provide an overview of the wizard and show how it can be used to assign permissions on a server. The delegation of control wizard is located in the Server Manager console under the Manage menu. The wizard has three main sections: Permissions, Users, and Groups. In the Permissions section, you can select which users or groups have permission to perform specific tasks on the server. The Users section allows you to add new users or groups, or modify existing users or groups. The Groups section allows you to add new groups or modify existing groups. To use the delegation of control wizard, first select the server in which you want to make changes. Next, click the Manage menu and select Delegation of Control Wizard from the list of options. The Delegation of Control Wizard window will open. In this window, you will first need to select which permissions you want to assign using the Permissions tab. You can select from several options including Read/Write/Execute (RWE), Create Files/Read Data/Write Data (CWR), Change Permissions, and List Folder Contents (LFC). To add a user or group, click Add User Or Group and enter the name of the user or group into the text box next to User Name (or Group Name) . To modify an existing user or group, click Modify User Or Group and enter the name of the user or group into the text box next to User Name (or Group Name). You can also specify whether this user or group has administrative rights by checking box next to Has Administrative Rights . Click OK when finished adding users and groups. If you only want certain users or groups on your server have certain permissions, but do not want them assigned any administrative rights, you can use one of two other options in ..
We’re going to say that we’ve just started building our network, and we’d like to give our Helpdesk admins the ability to reset passwords for people. Since we don’t want the Helpdesk modifying other parts of our domain, we want to restrict their access rights to only that task, for the time being. The simplest way is to use the Delegation of Control Wizard, so we’ll start by going to our Administrative Tools and opening the Active Directory Users and Computers snap-in. Once we expand our domain, we’ll go down to the OU that holds our Helpdesk group, right-click on it, and choose Delegate Control.
The wonderful welcome screen of the Delegation Wizard pops up, and we click Next.
We need to add our Helpdesk, so we click Add.
We type in the name of our group, helpdesk, and then click the Check Names button. Once it finds them in AD, the name will display fully, and we can click the OK button.
Once it shows up in our list of selected users and groups, we’ll move forwards by clicking the Next button again.
Now we get to the real power of the Delegation of Control Wizard. The wizard lists out the most commonly used tasks to delegate control for, but also allows you to add some of the more obscure rights as well through the Create a custom task to delegate option. Since we just want to give our helpdesk admins the right to reset passwords, we’ll choose that one from the list and click Next.
Next we’ll get a summary of all the controls we are about to delegate. It’s always a good idea to browse over this, just to make sure you didn’t accidentally check one of the wrong boxes by accident. Once we’re certain that everything looks good, we click the Finish button.
To verify what rights we’ve just delegated, we open a command prompt and type in dsacls.exe “ou=People,dc=sysadmingeek,dc=com”
We can now see the rights listed out, and how those rights are inherited by our helpdesk admin, Susan Doe.
This was just a brief glimpse of the Delegation Wizard, and you can use it much more in depth than we’ve shown to get more specific with user and group controls.
