Bob: I agree on the book recommendation. Chapter 4 is a virtual mountain of good info. For the more involved/intense AD Admin I would also point out and recommend Managing Enterprise Active Directory Services (Robbie Allen/Richard Puckett Addison Wesley Publishing). That book will probably fly over the head of most AD Admins out there but the info is really good, I especially was impressed on the section on SDDLs. If they only could have had a few chapters on Exchange 2K integration and how to make it less painful... :oP
Michael what specific things are you looking to delegate? As a general rule I avoid the GUI's as the command line is generally much more efficient and people are more consistent when they run scripts than when they do things in the GUI. With GUI I think ad hoc and you don't admin AD ad hoc or at least you don't do it for long or else it will bite you. Anyway if you give specifics of things you are looking for, people on the list could recommend how to do it, etc. Such as how to delegate unlock capability to the HelpDesk group on the users OU of domain.com dsacls "CN=Users,DC=domain,DC=com" /I:S /G "Domain\HelpDesk":RPWP;lockoutTime;user Or reset password to the same group on the same OU dsacls "CN=Users,DC=domain,DC=com" /I:S /G "Domain\HelpDesk":CA;"Reset Password";user Obviously the more delegation you do that fits patterns the better the scripts pay off for you in terms of save time realized and consistency of configuration. You can wrap dsacls into a script or you can actually call and modify the security descriptores directly. Writing scripts to do this stuff at the command line usually starts giving benefits of side tools that will let you do ACL audits and such a little easier as well and best of all puts things in formats that you want and can be set up to take advantage of things you know are set up in specific ways in your environment. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 6:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -----Original Message----- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to "flesh out" our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a "control freak", I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could "borrow" from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
