Delegate authority via Microsoft Active Directory

It is often easy to forget some of the basic benefits of complex systems. This is especially true when you spend significant efforts focusing in on the detailed configurations of a system. One of the often-overlooked basic benefits of Active Directory is delegated authority.

Delegated authority is the ability to assign administrative level rights, privileges and access to non-administrative or system-operator level users. In other words, delegated authority allows you to take advantage of the ordinary users' eagerness to gain a little power while reducing your own workload and administrative overhead.

Active Directory's delegation capabilities are made possible through the various compartments, divisions, or groupings used to establish the infrastructure design of a forest. Those groupings are: forest, tree, domain, site and organizational unit. Within each of these compartments you can assign individual administrative functions to other users. But keep in mind the granted privilege is available to them throughout the compartment and all sub-compartments (for example, granting someone a capability at a domain level grants them that capabilities in all OUs within that domain).

Delegating authority can be performed using broad strokes of granting privileges or used in a very rigid, controlled fine-tuned manner. You can grant a person the ability to manage user accounts from creation to upkeep to removal or you could grant them the ability to alter just

    Requires Free Membership to View

the phone number field or reset passwords.

Delegation can be a tremendous time saver if you make the effort to grant only the privileges necessary for users to perform their newly assigned "administrative" tasks. Granting too much access to non-administrators can result in chaos, downtime and havoc (in other words, overlapping of responsibilities, misconfigured systems and management disdain at your parceling out your work tasks to others). So, plan carefully. Implement incrementally. Double-check your work. And audit the actions of your new administrative deputies.

James Michael Stewart is a researcher and writer for Lanwrights, Inc.

This was first published in July 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.