Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


January 2004

Planning and Customizing AD Delegation

Use the Task, Role, Scope methodology to administer your AD environment
From the January 2004 Edition
of Windows IT Pro
Dan Holme
Focus
InstantDoc #41105
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Active Directory (AD) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    When Delegation Isn’t Technically Delegation

By using the Delegate Control option from a container, you're automatically specifying the scope of the delegation. The wizard asks you to specify

  • to whom you're trying to grant control. You specify this entity by adding security principals, specifically the administrative group that represents the role. Figure 3 shows the wizard screen in which you add these security principals.
  • the type of control the security principals should have. You'll notice that the wizard uses the word task, as Figure 4 shows. You can select from a list of what the wizard categorizes as common tasks, or you can create a custom task. Your definition of common tasks will likely differ from these defaults. But as you'll see in a moment, you can customize the Delegation of Control Wizard to display tasks that are common for you.

So, even the wizard is following best practice—a top-down implementation of Task, Role, Scope. After you specify these three delegation components, the wizard modifies the ACL on the container accordingly.

Customizing Delegation Interfaces
Unfortunately, the Delegation of Control Wizard's limited list of common tasks oversimplifies delegation to the point that the wizard becomes useless for any thoroughly thought-out delegation plan. For example, one common administrative task is unlocking accounts that have been locked by a user who has forgotten his or her password. Another example is password resets. When an administrator resets a user password, best practice is to require the user to change the password at his or her next logon. This task isn't available in Win2K's Delegation of Control Wizard. (However, this task is available in Windows 2003's Delegation of Control Wizard.) Strictly controlling the deletion of objects—especially of users, groups, and computers—is also common, particularly in larger organizations, because the deletion of an object results in the loss of its SID. The wizard's common task provides for the creation, management, and deletion of user objects, but what if you want to divide those tasks?

To customize the tasks that the wizard provides, you can modify the delegwiz.inf file, which resides in the hidden \%windir%\inf folder. The delegwiz.inf file has a simple structure in which each common task is defined by a template that provides the task with a user-friendly name and details the ACL changes that the wizard must make to implement the delegation. Near the top of the delegwiz.inf file is a section labeled DelegationTemplates. The Templates parameter that follows lists the templates in the file. If you add or remove a template, you must add or remove the template name from this list.

Listing 1 shows a template that's part of the standard delegwiz.inf file. The code at callout A in Listing 1 states that the template will apply when you invoke the wizard from a domain, OU, or container object. The code at callout B contains a user-friendly description of the task. The code at callout C indicates that if the task is selected in the Delegation of Control Wizard, the wizard will modify permissions on the scope container and on user objects. A permissions template exists for the scope and for the user objects. The scope permissions template permits the creation and deletion of user objects. The user objects permissions template assigns full control (i.e., GA in Listing 1) to all properties of user objects.

By using the templates that Listing 2 shows, you can implement two of the common tasks that Microsoft missed when it designed the wizard. You'll need to add templatecustom01 and templatecustom02 to the list in the Templates parameter of the DelegationTemplates section. You must modify delegwiz.inf on the computer from which you administer AD. If you want multiple administrators to use a custom delegwiz.inf file, distribute it appropriately. A service pack or OS upgrade could potentially overwrite your file, so be sure to back it up. After you customize your Delegation of Control Wizard, you'll be able to easily delegate control without having to dig into the AD objects's ACLs and risk mistakes.

For more information about the structure of delegwiz.inf, check out the Microsoft article "HOWTO: Customize the Task List in the Delegation Wizard" (http://support.microsoft.com/?kbid=308404). You can find information about specific Lightweight Directory Access Protocol (LDAP) property and object names and permissions specifiers at TechNet and the Microsoft Developer Network (MSDN).

Missing Permissions
One unfortunate characteristic of the ACL Editor in both Windows 2003 and Win2K is that it doesn't show you all available permissions. The reason is that far too many exist. That reason is understandable, but what if you assign a permission but can't see it in the UI? By modifying dssec.dat, a text file in the \system32 folder, you can determine which permissions appear in the ACL Editor. The dssec.dat file is divided into sections, each of which displays a property. A property value of 7 means hide, and a property value of 0 (or no mention of the property at all) means show. Listing 3 shows part of the [user] section of a sampledssec.dat file.

In the [user] section, the property lockoutTime is set to 7, so it won't appear in the ACL Editor. Changing that property to 0 causes the property to appear, as Figure 5 shows. Windows 2003's dssec.dat file doesn't include lockoutTime under the [user] section, so the property does appear in the ACL Editor.

The dssec.dat file also determines which properties appear in the custom tasks portion of the Delegation of Control Wizard. As with delegwiz.inf, you must modify dssec.dat on the machine from which you administer AD. You should back up dssec.dat so that you're safe in the event of a service pack or upgrade overwrite. If you customize delegwiz.inf so that you can easily delegate otherwise unavailable tasks, you should ensure that dssec.dat makes visible the permissions you're setting. For example, if you use the second template in Listing 2 to provide an Unlock locked user accounts task, be sure to set lockoutTime to 0 in dssec.dat.

Eliminate Human Error
By carefully planning your delegation and distributing customized dssec.dat and delegwiz.inf files that provide for the implementation of that model, you create an environment that's more productive and less conducive to human error. If you're going to manually delegate control over AD and your organization's roles group tasks in a way that differs from the way that the Delegation of Control Wizard groups tasks, these techniques can make a world of difference.

End of Article

   Previous  1  2  [3]  Next  


Reader Comments
Very good article. However, I am unsuccessfull at duplicating the article's suggestion of modifying the delegwiz.inf. Added the 2 sample templates verbatim along with adding them to the parameter list and when I click on Delegate Control the MMC simply closes. Can't find any clue to this behavior in the event log. Is there a step missing? Attempted on a w2k sp3 DC.

G McLeroy January 13, 2004

I am also seeing this behaviour and when I edit out the templatecustom01 and/or 02 from the templates paramater at the beginning of the delegwiz.inf the problem disapears. Only to discover that of course the additions are not in the delwizard.

S February 13, 2004

The 2 custom templates need amending slightly to resolve the problem. For the first template the line [templatex.user] needs changing to [templatecustom01.user]. Its the same problem for the other replace [templatey.user] with [templatecustom02.user]. After making these changes the 2 new options will be added to the Delegation of control wizard

S Kemball April 22, 2004

very useful

secadmin July 08, 2005 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...
Active Directory (AD) Whitepapers Meeting Compliance Objectives in SharePoint

Email Controls and Regulatory Compliance
Related Events WinConnections and Microsoft® Exchange Connections

Check out our list of Free Email Newsletters!
Active Directory (AD) eBooks The Essentials Series: Active Directory 2008 Operations

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security

Windows 2003: Active Directory Administration Essentials
Related Active Directory (AD) Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement