One of the often espoused benefits of Active Directory is its ability to delegate administrative privileges on a granular basis to non-administrative users. This outstanding capability allows overworked or overloaded administrators to delegate small essential tasks to power-hungry users (or at least to those who have shown themselves reliable). Delegation is usually performed on an organizational unit basis.
The basics of delegation
The basics of delegation is to select an organizational unit (OU), then launch the Delegation Wizard to grant one or more privileges from a list or create your own custom set of delegated privileges to a single user or a group of users. It is usually a fairly simple process. Some common delegated privileges include changing user passwords, adding new computers to a domain, being able to install printer drivers or even the ability to set system time. In any case, these are some of the tasks that are just above the standard privilege level of users, but they represent tasks that can be off-loaded to trustworthy users to free up the time and mental capacity of administrators.
When delegating privileges to users, you will be granting the privilege over all objects in the OU from which you launch the Delegation Wizard. That includes any user and computer accounts in the immediate OU as well as any child OUs (unless the Block Inheritance setting is set on a child and unless the No Override setting is set on the parent … anyway, I digress). So, when assigning delegation, be sure to know the exact extent to which you are granting admin-like privileges to a user. As always, sticking with the Principle of Least Privilege should be your primary goal, even when you are spreading a bit of power to a few deserving individuals.
Use wizards to get you through...
Microsoft has made the task of delegating privileges so simple that Microsoft has made the task of delegating privileges so simple that even if the user doesn't know what he is doing, the wizard can get him through it. As with most of the wizards found in Windows products, by answering a few simple questions, you can perform complex tasks with little to no real knowledge about the task you're carrying out. The downside of this process is that unless you know what is going on under the hood of a wizard, reversing the process can be daunting.
If you have used the delegation wizard to grant a user a special high-level privilege, you will have to do some manual labor to remove or revoke the privilege if the need arises. There is not an "undelegate" wizard. In fact, if you re-use the wizard and assign the same privileges to another user or group, all you are doing is spreading the love -- you are not removing the assigned privileges from the previous holders of the power. To revoke assigned privileges, you must manually edit the OU's Security tab to remove or alter the delegated privileges.
…but use wizards with caution!
In summary, the lesson here is to be very careful. Avoid using wizards if you don't really know what the tool will be doing or how to reverse the changes if unexpected results appear. But, if you understand how to repair or reverse a change made by a wizard, by all means, try anything that simplifies your life!
James Michael Stewart has co-authored numerous books on Microsoft, security certification and administration and has written articles for many print and online publications. He has developed certification courseware and training materials and has presented these materials in the classroom. Stewart also teaches CISSP boot camps across the country and is a regular speaker at Interop.
This was first published in August 2005