Delegating control of group membership

Knowledgebase (Intended Audience) This document is intended for the System Administrator at ………..

Document Ref & Version No:V1.0

Author: Approved by:

Revision Due Date: 1 year from issue Issue Date:

Document Control:

Document Title: File Name: Author: Date:

13/07/2010

Version Control:

Version: Reason for Change Author/Editor: Date:

1.0 Initial Draft 13/07/20101.1 Final Draft

PurposeThe purpose of this document is to aid the System Administrator at ……… provide trusted users who manage access to group membership the ability to do so via a local snap-in thereby reducing unnecessary group membership support requests to the servicedesk.

Software OverviewAs your AD infrastructure grows, managing the growing number of users, groups and computers becomes increasing time consuming. Fortunately Active Directory has the ability to delegate administrative control over specific objects to lower-level administrators.

Assigning a domain user as the manager of the group has the following advantages:

Assigns a contact for the group: This gives the administrator a designated person to contact if there are any questions about the group membership.

Delegation: This allows the administrator to designate a domain user to manage the additions and deletions to the group.

Delegating the management of a group allows the administrator to assign the process of maintaining the membership of a group to someone who will probably be more familiar with the changes needed to be made to the group usually someone like a department or resource manager.

Last updated: 13/07/2010 1 of 12 v1.0

Delegating control of group

membership

Procedure

Step 1

Create a management security group

When we start the Administration Delegation Wizard, it prompts you to specify the users and groups to which you want to apply the security role. It is recommended that you place your users into security groups, and then use the wizard to apply roles against those groups. Applying permissions to individual users can quickly become difficult to manage.

A management security group titled groupManagers (replace group with the appropriate group) is initially created for the trusted users which we wish to delegate control of group membership, this will enable them to add or remove any user account for that group.

1. In AD select the Groups OU and right click, then select New and Group from the sub-menu.

2. Enter the name groupManagers in the Group name box.

i.e. ElectronicTriageSystemManagers

3. Verify the Group scope is set to Global. Group type is Security Select OK

4. Double click on the new ElectronicTriageSystemManagers Select the Members tab, click the Add button and select the user accounts that are to manage the group membership.

Select OK and leave Active Directory Users and Computers open

Last updated: 13/07/2010 2 of 12 v1.0

Delegating control of group

membership

Step 2

Delegate administrative control of an OU

Group membership administration is granted in the OU where the group account resides.

To delegate administrative control of an OU create the OU if non already exists and move the group to manage and the management group into the OU

5. In AD right-click the appropriate OU

Select Delegate Control from the menu. This will launch

Delegation of Control Wizard

6. Welcome to the Delegation of Control Wizard page

Click Next.

Add the Group Managers

7. In the Users or Groups page

Click Add, type the appropriate managers security group for which you want to delegate administration

Click OK and Next.

Last updated: 13/07/2010 3 of 12 v1.0

Delegating control of group

membership

8. In the Tasks To Delegate page

Click Delegate the following common tasks and select

Modify the membership of a group.

Click Next

The permissions to change group membership is controlled through the appropriate group and not through the user. For this you need RP/WP on the attribute “member” of the group you want to add another security principal to i.e. (user, group or computer).This is available through the delegation of control wizard using the common delegated task “Modify the membership of a "group” This grants Write Property permissions on the group object to modify the Member attribute.

9. A summary page will appear.

Click Finish.

Removing Delegated PermissionsAlthough the Delegation of Control Wizard can be used to grant administrative permissions to containers and the objects within them, it cannot be used to remove those privileges. If you need to remove permissions, you must do so manually in the Security tab in the Properties dialog box for the container and in the Advanced Security Settings dialog box for the container.

Step 3

Last updated: 13/07/2010 4 of 12 v1.0

Delegating control of group

membership

Create a console Taskpad

When you are creating a console for another user, you can give them an administrative console that is specifically designed for the management task they will be performing. This involves creating taskpads with a simplified view.

10. On the Start Menu, click Run, type mmc, and then click OK. Microsoft Management Console opens with an empty console, console1. The empty console has no management functionality until you add some snap-ins.

11. Click on File | Add/Remove Snap in.

12. In the Snap-ins window, click Add choose AD Users and Computers from the left pane and click Add . Then Close, OK.

13. On the left pane, expand AD Users and Computers and expand your domain.

14. Drill down to the appropriate OU Right click and select New Taskpad view.

15. A new Taskpad wizard will appear.

Last updated: 13/07/2010 5 of 12 v1.0

Delegating control of group

membership

16. Leave the default setting for Taskpad Style and Click Next.

(or you may customize it)

17. Under Taskpad Reuse window, choose Selected tree item.

Click Next.

18. Name the Taskpad

Last updated: 13/07/2010 6 of 12 v1.0

Delegating control of group

membership

19. Click Next followed by Finish to create the new taskpad view.

Ensure Add new task to this taskpad after the wizard closes is selected

When the wizard completes, Windows will automatically launch a new one called the New Task Wizard. This wizard allows you to create tasks for the taskpad that you just created.

20. A New Task Wizard window will appear.

Click Next.

21. In the command type window. Choose Menu Command.

Click Next

The column on the left contains a list of users, and the column on the right contains a list of commands that are available when a user right-clicks on a command.

It is important to note that simply making a command available to a user does not give them permission to perform that command.

22. Select a user account

i.e. OUManagers

and a command

such as Move and click Next.

Last updated: 13/07/2010 7 of 12 v1.0

Delegating control of group

membership

23. You are now asked to enter a name and description for the command that you are creating. These fields are filled in by default, so you can just move on to the next screen.

Click Next

24. Choose your desired icon in the Task Icon window. In this case, I am using the handshake icon. Click Next.

25. Click on Finish button to complete the newly created task wizard.

Last updated: 13/07/2010 8 of 12 v1.0

Delegating control of group

membership

Step 4

Simplifying the console view

Configure the console so that the user can view only the groups they are to manage.

26. To view only the required group

Select View > Filter Options.

27. In Filter Options

Choose Create custom filter and Customize.

28. In the Custom Search field

Select Group > Name

In the Condition field choose Starts with enter a value i.e. the group name ElectronicTriageSystem OK and OK again now go back to the OU you should only see only the group and groupManagers.

Last updated: 13/07/2010 9 of 12 v1.0

Delegating control of group

membership

Click on the console's icon (just below the tool bar), and choose the Customize View option located on the resulting menu. Then just remove everything that you don't want to make accessible through the console.

29. In order to prevent unnecessary changes to the console, we have to customize the view.

Click on View > Customize.

30. Uncheck all the options under MMC in order to have a minimum view.

31. Save the created console1.msc to your desktop and rename it to the groupname.msc

Last updated: 13/07/2010 10 of 12 v1.0

Delegating control of group

membership

Step 4

Locking down the console

When you create a console for another user, it is useful to be able to prevent that user from further customizing the console.

The Options dialog box allows you to do this.

32. From the Console menu, select File > Options, this opens the Console tab.

33. Change the Console Mode by selecting User Mode–limited access, single window from the drop-down dialog box. This will prevent a user from adding new snap-ins to the console file or rearranging the windows.

34. Save the console file. The changes will not take effect until the console file is opened again.

Author You want to continue customizing the console.

User Mode—Full Access Users of the console to be able to navigate between and use all snap-ins. Users will not be able to add or remove snap-ins, or change the properties of snap-ins or the console.

User Mode—Limited Access, Multiple Windows Users can navigate to and use only the snap-ins that you have made visible in the console tree, and you want to preconfigure multiple windows that focus on specific snap- ins. Users will not be able to open new windows.

User Mode—Limited Access, Single Window Users are able to navigate to and use only the snap-ins that you have made visible in the console tree, within a single window.

These modes allow you to configure your own consoles and distribute them to other administrators. Configured in the correct mode, you can prevent those administrators from accessing specific areas of functionality and from modifying the console configuration.

When a console is no longer saved in Author mode, you the original author can make changes to the console by right-clicking the saved console and choosing Author.

Last updated: 13/07/2010 11 of 12 v1.0

Delegating control of group

membership

Step 5

Enabling the Taskpad to work on the trusted users computer

You can put specific dll files on to the delegated admin's workstation to enable the console to run without installing the whole adminpak.

35. Copy the MSC file you created via a UNC to the delegated person's workstation's desktop

36. Copy over two DLLS from location S:\Microsoft\Server admin tools\group membership dlls to the users system32 folder and regsrv32 them into their machines.

adprop.dll (for object properties)dsadmin.dll (ability to alter object properties)

37. From the Start Menu, Choose Run

Type REGSVR32 then either drag the dll file from the directory on the local machine into the run command box or manually type the path to read:

REGSVR32 C:\WINDOWS\system32\adprop.dll

REGSVR32 C:\WINDOWS\system32\dsadmin.dll

You should see a message that the files has been registered successfully

38. To install a limited MMC console without installing the full adminpak.msi

Copy adminpak.msi from S:\Microsoft\Server admin tools to c:\windows\system32

In a command line navigate to c:\windows\system32 directory type >cd \windows\system32

run msiexec /i adminpak.msi ADDLOCAL=FeADTools /qb

For the Taskpad to run on the users computer Microsoft Management Console 3.0 needs to be installed

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=61fc1c66-06f2-463c-82a2-cf20902ffae0

Last updated: 13/07/2010 12 of 12 v1.0