Using the Delegation of Control Wizard to Assign Permissions in Server 2008

Delegate Control of an Organizational Unit

Another great feature of Server 2008, is how the Delegation of Control Wizard simplifies adding rights for common tasks to groups or administrators.
We’re going to say that we’ve just started building our network, and we’d like to give our Helpdesk admins the ability to reset passwords for people. Since we don’t want the Helpdesk modifying other parts of our domain, we want to restrict their access rights to only that task, for the time being. The simplest way is to use the Delegation of Control Wizard, so we’ll start by going to our Administrative Tools and opening the Active Directory Users and Computers snap-in. Once we expand our domain, we’ll go down to the OU that holds our Helpdesk group, right-click on it, and choose Delegate 
 Control.

* To open Active Directory Users and Computers, click Start , click Control Panel ,  double-click Administrative Tools , and then double-click Active Directory Users and Computers .

*To open Active Directory Users and Computers in Windows Server® 2008, click Start , type      dsa.msc .

*In the console tree, right-click the organizational unit (OU) for which you want to delegate control.

1. Where?
   
   • Active Directory Users and Computers\ domain node \ organizational unit
2. Click Delegate Control to start the Delegation of Control Wizard, and then follow the instructions in the wizard.
   

 
The wonderful welcome screen of the Delegation Wizard pops up, and we click Next.

 
The wonderful welcome screen of the Delegation Wizard pops up, and we click Next.

 

We need to add our Helpdesk, so we click Add.

 
We type in the name of our group, helpdesk, and then click the Check Names button. Once it finds them in AD, the name will display fully, and we can click the OK button.

 

Once it shows up in our list of selected users and groups, we’ll move forwards by clicking the Next button again.

 

Now we get to the real power of the Delegation of Control Wizard. The wizard lists out the most commonly used tasks to delegate control for, but also allows you to add some of the more obscure rights as well through the Create a custom task to delegate option. Since we just want to give our helpdesk admins the right to reset passwords, we’ll choose that one from the list and click Next.

 
Next we’ll get a summary of all the controls we are about to delegate. It’s always a good idea to browse over this, just to make sure you didn’t accidentally check one of the wrong boxes by accident. Once we’re certain that everything looks good, we click the Finish button.