Professional Documents
Culture Documents
Document Control:
Document Title: File Name: Author: Date:
13/07/2010
Version Control:
Version: Reason for Author/Editor: Date:
Change
1.0 Initial Draft 13/07/2010
1.1 Final Draft
Purpose
The purpose of this document is to aid the System Administrator at ……… provide trusted
users who manage access to group membership the ability to do so via a local snap-in
thereby reducing unnecessary group membership support requests to the servicedesk.
Software Overview
As your AD infrastructure grows, managing the growing number of users, groups and
computers becomes increasing time consuming. Fortunately Active Directory has the ability
to delegate administrative control over specific objects to lower-level administrators.
Assigning a domain user as the manager of the group has the following advantages:
Assigns a contact for the group: This gives the administrator a designated person to
contact if there are any questions about the group membership.
Delegation: This allows the administrator to designate a domain user to manage the
additions and deletions to the group.
Delegating the management of a group allows the administrator to assign the process of
maintaining the membership of a group to someone who will probably be more familiar with
the changes needed to be made to the group usually someone like a department or resource
manager.
Last updated: 13/07/2010 1 of 12 v1.0
Delegating
control of group
membership
Procedure
Step 1
Create a management security group
When we start the Administration Delegation Wizard, it prompts you to specify the users and groups
to which you want to apply the security role. It is recommended that you place your users into
security groups, and then use the wizard to apply roles against those groups. Applying permissions
to individual users can quickly become difficult to manage.
A management security group titled groupManagers (replace group with the appropriate group) is
initially created for the trusted users which we wish to delegate control of group membership, this will
enable them to add or remove any user account for that group.
1. In AD select the Groups OU and right click, then select New and Group from the sub-menu.
2. Enter the name groupManagers in the Group name box.
i.e. ElectronicTriageSystemManagers
3. Verify the Group scope is set to Global. Group type is Security Select OK
4. Double click on the new ElectronicTriageSystemManagers Select the Members tab, click the
Add button and select the user accounts that are to manage the group membership.
Select OK and leave Active Directory Users and Computers open
Step 2
Delegate administrative control of an OU
Group membership administration is granted in the OU where the group account resides.
To delegate administrative control of an OU create the OU if non already exists and move the
group to manage and the management group into the OU
Click Next
The permissions to change group membership is controlled through the appropriate group and not
through the user. For this you need RP/WP on the attribute “member” of the group you want to add
another security principal to i.e. (user, group or computer).
This is available through the delegation of control wizard using the common delegated task “Modify
the membership of a "group” This grants Write Property permissions on the group object to modify
the Member attribute.
Although the Delegation of Control Wizard can be used to grant administrative permissions to
containers and the objects within them, it cannot be used to remove those privileges. If you need to
remove permissions, you must do so manually in the Security tab in the Properties dialog box for the
container and in the Advanced Security Settings dialog box for the container.
Step 3
Create a console Taskpad
When you are creating a console for another user, you can give them an administrative console that
is specifically designed for the management task they will be performing. This involves creating
taskpads with a simplified view.
10. On the Start Menu, click Run, type mmc, and then click OK. Microsoft Management Console
opens with an empty console, console1. The empty console has no management functionality
until you add some snap-ins.
Step 4
Configure the console so that the user can view only the groups they are to manage.
Click on the console's icon (just below the tool bar), and choose the Customize View option
located on the resulting menu. Then just remove everything that you don't want to make
accessible through the console.
Step 4
Last updated: 13/07/2010 10 of 12 v1.0
Delegating
control of group
membership
User Mode—Full Access Users of the console to be able to navigate between and use all snap-ins.
Users will not be able to add or remove snap-ins, or change the properties of snap-ins or the
console.
User Mode—Limited Access, Multiple Windows Users can navigate to and use only the snap-ins
that you have made visible in the console tree, and you want to preconfigure multiple windows that
focus on specific snap- ins. Users will not be able to open new windows.
User Mode—Limited Access, Single Window Users are able to navigate to and use only the
snap-ins that you have made visible in the console tree, within a single window.
These modes allow you to configure your own consoles and distribute them to other
administrators. Configured in the correct mode, you can prevent those administrators from
accessing specific areas of functionality and from modifying the console configuration.
When a console is no longer saved in Author mode, you the original author can make
changes to the console by right-clicking the saved console and choosing Author.
Step 5
You can put specific dll files on to the delegated admin's workstation to enable the console to
run without installing the whole adminpak.
35. Copy the MSC file you created via a UNC to the delegated person's workstation's desktop
36. Copy over two DLLS from location S:\Microsoft\Server admin tools\group membership dlls
to the users system32 folder and regsrv32 them into their machines.
38. To install a limited MMC console without installing the full adminpak.msi
For the Taskpad to run on the users computer Microsoft Management Console 3.0 needs
to be installed
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=61fc1c66-06f2-463c-82a2-
cf20902ffae0