Delegating control of group membership

Knowledgebase (Intended Audience) This Document Ref &

Version No:
document is intended for the System Administrator at V1.0
………..
Author: Approved by:

Revision Due Date: 1 year from issue Issue Date:

Document Control:
Document Title: File Name: Author: Date:

13/07/2010

Version Control:
Version: Reason for Author/Editor: Date:
Change
1.0 Initial Draft 13/07/2010
1.1 Final Draft

Purpose
The purpose of this document is to aid the System Administrator at ……… provide trusted
users who manage access to group membership the ability to do so via a local snap-in
thereby reducing unnecessary group membership support requests to the servicedesk.

Software Overview
As your AD infrastructure grows, managing the growing number of users, groups and
computers becomes increasing time consuming. Fortunately Active Directory has the ability
to delegate administrative control over specific objects to lower-level administrators.
Assigning a domain user as the manager of the group has the following advantages:

 Assigns a contact for the group: This gives the administrator a designated person to
contact if there are any questions about the group membership.
 Delegation: This allows the administrator to designate a domain user to manage the
additions and deletions to the group.

Delegating the management of a group allows the administrator to assign the process of
maintaining the membership of a group to someone who will probably be more familiar with
the changes needed to be made to the group usually someone like a department or resource
manager.
Last updated: 13/07/2010 1 of 12 v1.0
 Delegating
control of group
membership

Procedure

Step 1
Create a management security group

When we start the Administration Delegation Wizard, it prompts you to specify the users and groups
to which you want to apply the security role. It is recommended that you place your users into
security groups, and then use the wizard to apply roles against those groups. Applying permissions
to individual users can quickly become difficult to manage.

A management security group titled groupManagers (replace group with the appropriate group) is
initially created for the trusted users which we wish to delegate control of group membership, this will
enable them to add or remove any user account for that group.

1. In AD select the Groups OU and right click, then select New and Group from the sub-menu.
2. Enter the name groupManagers in the Group name box.

i.e. ElectronicTriageSystemManagers

3. Verify the Group scope is set to Global. Group type is Security Select OK

4. Double click on the new ElectronicTriageSystemManagers Select the Members tab, click the
Add button and select the user accounts that are to manage the group membership.
Select OK and leave Active Directory Users and Computers open

Last updated: 13/07/2010 2 of 12 v1.0

 Delegating
control of group
membership

Step 2
Delegate administrative control of an OU
Group membership administration is granted in the OU where the group account resides.

To delegate administrative control of an OU create the OU if non already exists and move the
group to manage and the management group into the OU

5. In AD right-click the appropriate OU

Select Delegate Control from the
menu. This will launch
Delegation of Control Wizard

6. Welcome to the Delegation of

Control Wizard page
Click Next.

Add the Group Managers

7. In the Users or Groups page

Click Add, type the appropriate
managers security group for which
you want to delegate administration
Click OK and Next.

Last updated: 13/07/2010 3 of 12 v1.0

 Delegating
control of group
membership

8. In the Tasks To Delegate page

Click Delegate the following

common tasks and select

Modify the membership of a group.

Click Next

The permissions to change group membership is controlled through the appropriate group and not
through the user. For this you need RP/WP on the attribute “member” of the group you want to add
another security principal to i.e. (user, group or computer).
This is available through the delegation of control wizard using the common delegated task “Modify
the membership of a "group” This grants Write Property permissions on the group object to modify
the Member attribute.

9. A summary page will appear.

Click Finish.

Removing Delegated Permissions

Although the Delegation of Control Wizard can be used to grant administrative permissions to
containers and the objects within them, it cannot be used to remove those privileges. If you need to
remove permissions, you must do so manually in the Security tab in the Properties dialog box for the
container and in the Advanced Security Settings dialog box for the container.

Last updated: 13/07/2010 4 of 12 v1.0

 Delegating
control of group
membership

Step 3
Create a console Taskpad
When you are creating a console for another user, you can give them an administrative console that
is specifically designed for the management task they will be performing. This involves creating
taskpads with a simplified view.

10. On the Start Menu, click Run, type mmc, and then click OK. Microsoft Management Console
opens with an empty console, console1. The empty console has no management functionality
until you add some snap-ins.

11. Click on File | Add/Remove Snap in.

12. In the Snap-ins window, click Add

choose AD Users and Computers
from the left pane and click Add .
Then Close, OK.

13. On the left pane, expand AD Users

and Computers and expand your
domain.

14. Drill down to the appropriate OU

Right click and select New Taskpad
view.

15. A new Taskpad wizard will appear.

Last updated: 13/07/2010 5 of 12 v1.0

 Delegating
control of group
membership

16. Leave the default setting for Taskpad

Style and Click Next.
(or you may customize it)

17. Under Taskpad Reuse window,

choose Selected tree item.
Click Next.

18. Name the Taskpad

Last updated: 13/07/2010 6 of 12 v1.0

 Delegating
control of group
membership

19. Click Next followed by Finish to

create the new taskpad view.
Ensure Add new task to this
taskpad after the wizard closes is
selected

When the wizard completes,

Windows will automatically launch a
new one called the New Task Wizard.
This wizard allows you to create
tasks for the taskpad that you just
created.

20. A New Task Wizard window will

appear.
Click Next.

21. In the command type window.

Choose Menu Command.
Click Next

The column on the left contains a list

of users, and the column on the right
contains a list of commands that are
available when a user right-clicks on
a command.

It is important to note that simply

making a command available to a user
does not give them permission to
perform that command.

22. Select a user account

i.e. OUManagers
and a command
such as Move and click Next.

Last updated: 13/07/2010 7 of 12 v1.0

 Delegating
control of group
membership

23. You are now asked to enter a name

and description for the command that
you are creating. These fields are
filled in by default, so you can just
move on to the next screen.
Click Next

24. Choose your desired icon in the Task

Icon window. In this case, I am using
the handshake icon. Click Next.

25. Click on Finish button to complete

the newly created task wizard.

Last updated: 13/07/2010 8 of 12 v1.0

 Delegating
control of group
membership

Step 4

Simplifying the console view

Configure the console so that the user can view only the groups they are to manage.

26. To view only the required group

Select View > Filter Options.

27. In Filter Options

Choose Create custom filter and
Customize.

28. In the Custom Search field

Select Group > Name
In the Condition field choose Starts
with enter a value i.e. the group
name ElectronicTriageSystem OK
and OK again now go back to the OU
you should only see only the group
and groupManagers.

Last updated: 13/07/2010 9 of 12 v1.0

 Delegating
control of group
membership

Click on the console's icon (just below the tool bar), and choose the Customize View option
located on the resulting menu. Then just remove everything that you don't want to make
accessible through the console.

29. In order to prevent unnecessary

changes to the console, we have to
customize the view.
Click on View > Customize.

30. Uncheck all the options under MMC

in order to have a minimum view.
31. Save the created console1.msc to
your desktop and rename it to the
groupname.msc

Step 4
Last updated: 13/07/2010 10 of 12 v1.0
 Delegating
control of group
membership

Locking down the console

When you create a console for another user, it is useful to be able to prevent that user from
further customizing the console.
The Options dialog box allows you to do this.

32. From the Console menu, select File

> Options, this opens the Console
tab.

33. Change the Console Mode by

selecting User Mode–limited
access, single window from the
drop-down dialog box. This will
prevent a user from adding new
snap-ins to the console file or
rearranging the windows.

34. Save the console file. The changes

will not take effect until the console
file is opened again.

Author You want to continue customizing the console.

User Mode—Full Access Users of the console to be able to navigate between and use all snap-ins.
Users will not be able to add or remove snap-ins, or change the properties of snap-ins or the
console.

User Mode—Limited Access, Multiple Windows Users can navigate to and use only the snap-ins
that you have made visible in the console tree, and you want to preconfigure multiple windows that
focus on specific snap- ins. Users will not be able to open new windows.

User Mode—Limited Access, Single Window Users are able to navigate to and use only the
snap-ins that you have made visible in the console tree, within a single window.

These modes allow you to configure your own consoles and distribute them to other
administrators. Configured in the correct mode, you can prevent those administrators from
accessing specific areas of functionality and from modifying the console configuration.

When a console is no longer saved in Author mode, you the original author can make
changes to the console by right-clicking the saved console and choosing Author.

Last updated: 13/07/2010 11 of 12 v1.0

 Delegating
control of group
membership

Step 5

Enabling the Taskpad to work on the trusted

users computer

You can put specific dll files on to the delegated admin's workstation to enable the console to
run without installing the whole adminpak.

35. Copy the MSC file you created via a UNC to the delegated person's workstation's desktop

36. Copy over two DLLS from location S:\Microsoft\Server admin tools\group membership dlls
to the users system32 folder and regsrv32 them into their machines.

adprop.dll (for object properties)

dsadmin.dll (ability to alter object properties)

37. From the Start Menu, Choose Run

Type REGSVR32 then either drag the dll file from the directory on the local machine into the run
command box or manually type the path to read:
REGSVR32 C:\WINDOWS\system32\adprop.dll
REGSVR32 C:\WINDOWS\system32\dsadmin.dll
You should see a message that the files has been registered successfully

38. To install a limited MMC console without installing the full adminpak.msi

Copy adminpak.msi from S:\Microsoft\Server admin tools to c:\windows\system32

In a command line navigate to c:\windows\system32 directory type >cd \windows\system32

run msiexec /i adminpak.msi ADDLOCAL=FeADTools /qb

For the Taskpad to run on the users computer Microsoft Management Console 3.0 needs
to be installed

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=61fc1c66-06f2-463c-82a2-
cf20902ffae0

Last updated: 13/07/2010 12 of 12 v1.0