>Delegate Control or Let Someone Else Do Something for a Change!

12/28/2010

>Have you ever been in the situation where you have WAY too much work? As IT professionals we have the internal drive to get everything done and done correctly. We have responsibilities and are motivated to take care of them ourselves because you and I both know that NO ONE can do it better than you! So you get stuck with everything even remotely related to technology. Tell the truth, I’ll bet you even get to troubleshoot the Caffeine Output Focal Flavor Enhancer (C.O.F.F.E.) system.

I used to have the same problem. Then I discovered the solution! It’s called delegation. Ah, simple, but who can I trust with the keys to the kingdom? Who else has the subtle combination of technical skills and problem solving ability to manage a network? To whom can I grant such great power?

Uhhh. No one.

That’s right . Don’t grant anyone full power of the domain. But what you CAN do is grant the ability for other folks to have control over their specific area. Microsoft created a feature, way back with the release of Active Directory in Windows 2000 called Delegation of Control. In the example below you will see how easy it is to grant minor powers to people in order to make YOUR job easier and them happier!

Step 1: To begin the process of delegating control we open Active Directory Users and Computers.


Step 2: We then right-click on the Organizational Unit which will be managed by our group. In this example we will right-click on the Production OU. After right-clicking on the Production OU we click Delegate Control.

Step 3: Click Next on the Welcome page.

Step 4: Click Add and select the group to which you wish to delegate control. We will choose the IT group.

Step 5: After entering the group name click Ok then click Next.


Step 6: At this point we have two options:

A) Delegate a common task: This is frequently how the Delegation of Control Wizard is utilized. Resetting passwords and working with groups are examples.

B) Create a custom task to delegate: This option allows us to go into much more detail and granularity to grant rights to very specific properties. Examples would include changing users address and phone information.

Note that custom tasks require more time and testing, but offer higher flexibility in granting rights.

We will check the box to delegate the common task of resetting user passwords and forcing password changes and then click Next.

Step 7: We now click Finish and the delegation is complete!

Not too shabby! Keep in mind the people to whom you grant control will need to have the tools installed on their management system. For Windows XP and older that would be the Adminpak.msi. For Windows Vista and Windows 7 you install the Remote Server Administration Tools (RSAT). Both can be downloaded from Microsoft.

Watch out! In the next blog from Troy I’ll show you how to create a specialized tool so your new Junior Admins can complete the task at hand, but only see what you want them to see!