Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL

Chapter 9. Active Directory Delegation > Advanced Delegation: Manually Setting ...

9.3. Advanced Delegation: Manually Setting Permissions

Although the previous scenario is a nice—and useful—example, it only hints at the power of delegation. You actually needn't use the wizard to delegate; it just makes things simpler for a range of common tasks.

Best Practices for Delegation

Delegation is a powerful tool for administering your network. If it is used carefully, it will prove quite helpful. So far in this section we have mentioned a few good practices to use when delegating; now we'll expand on these and explore more examples:

  • Create groups and OUs that will have delegation applied to them: This facilitates security as well as administration.

  • Avoid assigning permissions directly to a user: Create a group (see the earlier discussion), and place the user in that group. Creating a group to house one user is not as burdensome as it might seem initially; in fact, it will make your administrative life much easier than trying to track down why this one individual can still perform actions that she or he shouldn't.

  • Assign the least amount of permissions to users and groups. This will help make your network most secure. Users might think they are entitled to full control for everything, but they rarely, if ever, require it.

  • Use full control sparingly: Full control can backfire on you when users or groups start taking advantage of your largesse. Full control gives the user an opportunity to work with an object's permissions. That means the users could give themselves greater permissions than the administrator intended. In addition, if someone gains control of this account, then that person could cause more mayhem than they would otherwise.

  • To further enforce security and enhance good administration techniques, delegate object creation and object management to different groups: This is known as two-person integrity (TPI). If you split the responsibility between two individuals or groups, there is less likelihood of mismanagement by either. Think of this as splitting the create-backup and restore permissions between two groups. For example, you could give one group of administrators the ability to create groups in an OU, where you give a different group of administrators the ability to control the group's members.

  • Create Taskpad views: Taskpad views are great when you want to delegate tasks to help-desk personnel or other groups that require some permissions but don't want them to have access to the full console. This technique can help train new administrators before you give them the keys to the domain.

  • You can delegate at levels higher than an OU, but avoid doing this as a rule: If you delegate permissions at the domain level, that user or group could have a potentially far greater impact on your network than you anticipated.


You are currently reading a PREVIEW of this book.


Get instant access to over $1 million worth of books and videos.


Start a Free Trial

  • Safari Books Online
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint