RE: [ActiveDir] suggestions for OU delegation information sources
My preferred method is as follows. Keep OU Names simple and linked to object type or organization delegation type. Use the description attribute on each OU to describe the OU instead of making the RDN and DN describe the OU. Also Look at third party products if you have to do multiple delegations and need to control content being entered. I am a big fan of Aelita's EDM 5.0 for both its 32bit interface and its web interface and ADSI provider. Here is a pretty good strategy. Root -AD + Delegation Description = +Users Del#1/Users +Computers Del#1/Computers -Groups Del#1/Groups +Org Del#1/Groups/Org +DL Del#1/Groups/DL -OPSDel#1/OPS +Services Del#1/Services +Accounts Del#1/Accounts +Contacts Del#1/Contacts +Servers Del#1/Servers +Resources Del#1/Resources + Delegation Description +Users Del#2/Users +Computers Del#2/Computers -Groups Del#2/Groups +Org Del#2/Groups/Org +DL Del#2/Groups/DL -OPSDel#2/OPS +Services Del#2/Services +Accounts Del#2/Accounts +Contacts Del#2/Contacts +Servers Del#2/Servers +Resources Del#2/Resources When doing searches it is easier to search on description than on OU or CN. When programming it is easer to program names that are simple and short. If you named your OU Del #1 Users. Technically it is supported, but administratively it is a nightmare. For delegation to work properly you need to separate the role of Domain Administrators (Directory Admins) and each delegated Admin of a OU (Data Admins). Directory Admins are responsible for creating Delegation and managing the physical security, patch level, disaster recovery, and operation of the Domain Controllers. Data Admins are responsible for creating the users, groups, and resource accounts within the directory. Data Administration can be divided up as many ways as you see fit, I have a rule of three. Full Admin: Full Control over managing OU and resources. Helpdesk Admin: Ability to reset certain passwords, update attributes on certain objects, create new computer accounts and modify membership of ORG and DL groups. Read Access to Operations. Server Admin: Ability to do Help desk tasks as well as manage server and resource objects in OPS OU. Services Admins: Ability to manage service accounts and is the only one delegated to be able to modify the object other than the system account. Through the use of third-party tools you can pretty easily create recurring roles, and limit the object type that can be created in a OU, dynamically populate groups, add validation to field entry, and a host of other important identity management tasks. I also recommend that you use GPO's to restrict group memberships to certain key groups so they can't be hijacked by hackers or rogue admins. Todd -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 4:45 PM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] suggestions for OU delegation information sources Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could borrow from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] suggestions for OU delegation information sources
You might indeed have to wait for Robbie's Cookbook, but you can pre-order at Amazon: http://www.amazon.com/exec/obidos/ASIN/0596004648/qid=1055854721/sr=2-1/ref=sr_2_1/104-1580686-2322327 I've seen it and I think Robbie's done a fantastic job. Tony -- Original Message -- Wrom: MHVIBGDADRZFSQHYUCDDJBLVLM Reply-To: [EMAIL PROTECTED] Date: Thu, 19 Jun 2003 22:07:06 -0700 Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) I thought Robbie's stuff went with out saying :-] These are the books that never make it to my bookshelfs, they stay either _on_ my desk or in the car, that's as high of a tribute as I can pay to any book. In all honesty, I must admit to being veyy envious of Rick and Joe who have already seen Robbie's new book. The rest of us mere mortals must wait till it's published. I knew I should have kissed up to Robbie at DEC more VBG -Original Message- Wrom: HAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSN Sent: Thursday, June 19, 2003 7:14 PM To: [EMAIL PROTECTED] Anyone that doesn't have this book is really, REALLY missing out on a true great book on AD. This book has detailed subjects that most other authors have not drilled into as well. Plus, the illustrations that they use (visually) are great. Robbie - your update to the AD book is wonderful. But, these two Finns did a GREAT job with a book that is absolutely phenominal on what it covers. And, it covers it very well. Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- Wrom: BOHMKHJYFMYXOEAIJJPHSCRTNHGSWZIDRE [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 5:02 PM To: [EMAIL PROTECTED] Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -Original Message- Wrom: XCAXZOWCONEUQZAAFXISHJEXXIMQZUIVOTQNQEMSFDULH Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could borrow from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] suggestions for OU delegation information sources
Is the scripting/cli information you're talking about here documented in either (or both) of these books? Looks like I might need to expand the library a bit... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 9:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Bob: I agree on the book recommendation. Chapter 4 is a virtual mountain of good info. For the more involved/intense AD Admin I would also point out and recommend Managing Enterprise Active Directory Services (Robbie Allen/Richard Puckett Addison Wesley Publishing). That book will probably fly over the head of most AD Admins out there but the info is really good, I especially was impressed on the section on SDDLs. If they only could have had a few chapters on Exchange 2K integration and how to make it less painful... :oP Michael what specific things are you looking to delegate? As a general rule I avoid the GUI's as the command line is generally much more efficient and people are more consistent when they run scripts than when they do things in the GUI. With GUI I think ad hoc and you don't admin AD ad hoc or at least you don't do it for long or else it will bite you. Anyway if you give specifics of things you are looking for, people on the list could recommend how to do it, etc. Such as how to delegate unlock capability to the HelpDesk group on the users OU of domain.com dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:RPWP;lockoutTime;user Or reset password to the same group on the same OU dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:CA;Reset Password;user Obviously the more delegation you do that fits patterns the better the scripts pay off for you in terms of save time realized and consistency of configuration. You can wrap dsacls into a script or you can actually call and modify the security descriptores directly. Writing scripts to do this stuff at the command line usually starts giving benefits of side tools that will let you do ACL audits and such a little easier as well and best of all puts things in formats that you want and can be set up to take advantage of things you know are set up in specific ways in your environment. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 6:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could borrow from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] suggestions for OU delegation information sources
Dude I am living E2K right now... Just wait though, I have some pretty cool scripts (well at least in my mind) I have worked out that I think others may eventually be interested in. Found a bug in the addon for DSA.MSC for E2K for displaying permissions on mailboxes with one of the permission displayer scripts I wrote, sent that one into MCS and Alliance. Also have a couple of KB articles I found that directly conflict with each other concerning mailbox delegation and what is required, also sent that one in. :op -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, June 19, 2003 10:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources If they only could have had a few chapters on Exchange 2K integration and how to make it less painful... :oP Oh, you are NOT EVEN gonna get this started again! Huh-uh! ;-D Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, June 19, 2003 8:00 PM To: [EMAIL PROTECTED] Bob: I agree on the book recommendation. Chapter 4 is a virtual mountain of good info. For the more involved/intense AD Admin I would also point out and recommend Managing Enterprise Active Directory Services (Robbie Allen/Richard Puckett Addison Wesley Publishing). That book will probably fly over the head of most AD Admins out there but the info is really good, I especially was impressed on the section on SDDLs. If they only could have had a few chapters on Exchange 2K integration and how to make it less painful... :oP Michael what specific things are you looking to delegate? As a general rule I avoid the GUI's as the command line is generally much more efficient and people are more consistent when they run scripts than when they do things in the GUI. With GUI I think ad hoc and you don't admin AD ad hoc or at least you don't do it for long or else it will bite you. Anyway if you give specifics of things you are looking for, people on the list could recommend how to do it, etc. Such as how to delegate unlock capability to the HelpDesk group on the users OU of domain.com dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:RPWP;lockoutTime;user Or reset password to the same group on the same OU dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:CA;Reset Password;user Obviously the more delegation you do that fits patterns the better the scripts pay off for you in terms of save time realized and consistency of configuration. You can wrap dsacls into a script or you can actually call and modify the security descriptores directly. Writing scripts to do this stuff at the command line usually starts giving benefits of side tools that will let you do ACL audits and such a little easier as well and best of all puts things in formats that you want and can be set up to take advantage of things you know are set up in specific ways in your environment. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 6:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could borrow from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm
RE: [ActiveDir] suggestions for OU delegation information sources
Yeah I will get on this bandwagon as well and say that the Cookbook is a good book. The format will really fit what a lot of AD Admins out there need when they think, You know I just need to do this or that, I wonder if it is in the cookbook? - Oh cool, here it is, with several different ways to do it... Sort of like TIMTOWTDI man, rock on, this Robbie guy must have a perl mindset But again, once you understand that one and are still hungry, get Managing Enterprise Active Directory Services. Then you will really be geared for some serious admin work (after your head stops spinning), then you go and find Gil's Active Directory Programming and have even more fun If it doesn't exist somewhere (I am not aware of it) we should build a web page with must have reading for AD with descriptions and what the paper or book or web page is aimed at (dev or admin or quick howto or ?) and ratings or something. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Friday, June 20, 2003 7:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources You might indeed have to wait for Robbie's Cookbook, but you can pre-order at Amazon: http://www.amazon.com/exec/obidos/ASIN/0596004648/qid=1055854721/sr=2-1/ ref=sr_2_1/104-1580686-2322327 I've seen it and I think Robbie's done a fantastic job. Tony -- Original Message -- Wrom: MHVIBGDADRZFSQHYUCDDJBLVLM Reply-To: [EMAIL PROTECTED] Date: Thu, 19 Jun 2003 22:07:06 -0700 Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) I thought Robbie's stuff went with out saying :-] These are the books that never make it to my bookshelfs, they stay either _on_ my desk or in the car, that's as high of a tribute as I can pay to any book. In all honesty, I must admit to being veyy envious of Rick and Joe who have already seen Robbie's new book. The rest of us mere mortals must wait till it's published. I knew I should have kissed up to Robbie at DEC more VBG -Original Message- Wrom: HAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSN Sent: Thursday, June 19, 2003 7:14 PM To: [EMAIL PROTECTED] Anyone that doesn't have this book is really, REALLY missing out on a true great book on AD. This book has detailed subjects that most other authors have not drilled into as well. Plus, the illustrations that they use (visually) are great. Robbie - your update to the AD book is wonderful. But, these two Finns did a GREAT job with a book that is absolutely phenominal on what it covers. And, it covers it very well. Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- Wrom: BOHMKHJYFMYXOEAIJJPHSCRTNHGSWZIDRE [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 5:02 PM To: [EMAIL PROTECTED] Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -Original Message- Wrom: XCAXZOWCONEUQZAAFXISHJEXXIMQZUIVOTQNQEMSFDULH Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could borrow from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm
RE: [ActiveDir] suggestions for OU delegation information sources
Go to Border's and flip through Robbie/Richard's Managing book, so many scripts you can't shake a stick at them. Lots of perl so you know its got to be good. :op My one complaint to them concerning the book was why the hell they took so long to write it, I could have used it starting in Oct 1999 when I had to start working on this stuff in the first place. They would have saved me considerable time and energy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, June 20, 2003 7:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] suggestions for OU delegation information sources Is the scripting/cli information you're talking about here documented in either (or both) of these books? Looks like I might need to expand the library a bit... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 9:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Bob: I agree on the book recommendation. Chapter 4 is a virtual mountain of good info. For the more involved/intense AD Admin I would also point out and recommend Managing Enterprise Active Directory Services (Robbie Allen/Richard Puckett Addison Wesley Publishing). That book will probably fly over the head of most AD Admins out there but the info is really good, I especially was impressed on the section on SDDLs. If they only could have had a few chapters on Exchange 2K integration and how to make it less painful... :oP Michael what specific things are you looking to delegate? As a general rule I avoid the GUI's as the command line is generally much more efficient and people are more consistent when they run scripts than when they do things in the GUI. With GUI I think ad hoc and you don't admin AD ad hoc or at least you don't do it for long or else it will bite you. Anyway if you give specifics of things you are looking for, people on the list could recommend how to do it, etc. Such as how to delegate unlock capability to the HelpDesk group on the users OU of domain.com dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:RPWP;lockoutTime;user Or reset password to the same group on the same OU dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:CA;Reset Password;user Obviously the more delegation you do that fits patterns the better the scripts pay off for you in terms of save time realized and consistency of configuration. You can wrap dsacls into a script or you can actually call and modify the security descriptores directly. Writing scripts to do this stuff at the command line usually starts giving benefits of side tools that will let you do ACL audits and such a little easier as well and best of all puts things in formats that you want and can be set up to take advantage of things you know are set up in specific ways in your environment. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 6:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could borrow from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http
RE: [ActiveDir] suggestions for OU delegation information sources
I'm slowly working on something like that over here: http://www.wiredeuclid.com/modules.php?op=modloadname=booksfile=index Its by no means complete, but its slowly getting flushed out a bit. Of course, it probably shouldn't be running on a FreeBSD/Apache/PHP combination, though... ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 8:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Yeah I will get on this bandwagon as well and say that the Cookbook is a good book. The format will really fit what a lot of AD Admins out there need when they think, You know I just need to do this or that, I wonder if it is in the cookbook? - Oh cool, here it is, with several different ways to do it... Sort of like TIMTOWTDI man, rock on, this Robbie guy must have a perl mindset But again, once you understand that one and are still hungry, get Managing Enterprise Active Directory Services. Then you will really be geared for some serious admin work (after your head stops spinning), then you go and find Gil's Active Directory Programming and have even more fun If it doesn't exist somewhere (I am not aware of it) we should build a web page with must have reading for AD with descriptions and what the paper or book or web page is aimed at (dev or admin or quick howto or ?) and ratings or something. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Friday, June 20, 2003 7:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources You might indeed have to wait for Robbie's Cookbook, but you can pre-order at Amazon: http://www.amazon.com/exec/obidos/ASIN/0596004648/qid=10558547 21/sr=2-1/ ref=sr_2_1/104-1580686-2322327 I've seen it and I think Robbie's done a fantastic job. Tony -- Original Message -- Wrom: MHVIBGDADRZFSQHYUCDDJBLVLM Reply-To: [EMAIL PROTECTED] Date: Thu, 19 Jun 2003 22:07:06 -0700 Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) I thought Robbie's stuff went with out saying :-] These are the books that never make it to my bookshelfs, they stay either _on_ my desk or in the car, that's as high of a tribute as I can pay to any book. In all honesty, I must admit to being veyy envious of Rick and Joe who have already seen Robbie's new book. The rest of us mere mortals must wait till it's published. I knew I should have kissed up to Robbie at DEC more VBG -Original Message- Wrom: HAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSN Sent: Thursday, June 19, 2003 7:14 PM To: [EMAIL PROTECTED] Anyone that doesn't have this book is really, REALLY missing out on a true great book on AD. This book has detailed subjects that most other authors have not drilled into as well. Plus, the illustrations that they use (visually) are great. Robbie - your update to the AD book is wonderful. But, these two Finns did a GREAT job with a book that is absolutely phenominal on what it covers. And, it covers it very well. Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- Wrom: BOHMKHJYFMYXOEAIJJPHSCRTNHGSWZIDRE [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 5:02 PM To: [EMAIL PROTECTED] Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -Original Message- Wrom: XCAXZOWCONEUQZAAFXISHJEXXIMQZUIVOTQNQEMSFDULH Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf
RE: [ActiveDir] suggestions for OU delegation information sources
Late September or early October. The content is pretty much done now except for some final tech reviews (you know who you are :), but O'Reilly needs a full three months with it because it is going to be a 650-750 page book. Robbie Allen http://www.rallenhome.com/ -Original Message- From: Hutchins, Mike [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 9:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Anyone know when the AD cookbook is coming out? -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 6:35 AM To: '[EMAIL PROTECTED]' I'm slowly working on something like that over here: http://www.wiredeuclid.com/modules.php?op=modloadname=booksf ile=index Its by no means complete, but its slowly getting flushed out a bit. Of course, it probably shouldn't be running on a FreeBSD/Apache/PHP combination, though... ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 8:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Yeah I will get on this bandwagon as well and say that the Cookbook is a good book. The format will really fit what a lot of AD Admins out there need when they think, You know I just need to do this or that, I wonder if it is in the cookbook? - Oh cool, here it is, with several different ways to do it... Sort of like TIMTOWTDI man, rock on, this Robbie guy must have a perl mindset But again, once you understand that one and are still hungry, get Managing Enterprise Active Directory Services. Then you will really be geared for some serious admin work (after your head stops spinning), then you go and find Gil's Active Directory Programming and have even more fun If it doesn't exist somewhere (I am not aware of it) we should build a web page with must have reading for AD with descriptions and what the paper or book or web page is aimed at (dev or admin or quick howto or ?) and ratings or something. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Friday, June 20, 2003 7:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources You might indeed have to wait for Robbie's Cookbook, but you can pre-order at Amazon: http://www.amazon.com/exec/obidos/ASIN/0596004648/qid=10558547 21/sr=2-1/ ref=sr_2_1/104-1580686-2322327 I've seen it and I think Robbie's done a fantastic job. Tony -- Original Message -- Wrom: MHVIBGDADRZFSQHYUCDDJBLVLM Reply-To: [EMAIL PROTECTED] Date: Thu, 19 Jun 2003 22:07:06 -0700 Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) I thought Robbie's stuff went with out saying :-] These are the books that never make it to my bookshelfs, they stay either _on_ my desk or in the car, that's as high of a tribute as I can pay to any book. In all honesty, I must admit to being veyy envious of Rick and Joe who have already seen Robbie's new book. The rest of us mere mortals must wait till it's published. I knew I should have kissed up to Robbie at DEC more VBG -Original Message- Wrom: HAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSN Sent: Thursday, June 19, 2003 7:14 PM To: [EMAIL PROTECTED] Anyone that doesn't have this book is really, REALLY missing out on a true great book on AD. This book has detailed subjects that most other authors have not drilled into as well. Plus, the illustrations that they use (visually) are great. Robbie - your update to the AD book is wonderful. But, these two Finns did a GREAT job with a book that is absolutely phenominal on what it covers. And, it covers it very well. Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- Wrom: BOHMKHJYFMYXOEAIJJPHSCRTNHGSWZIDRE [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 5:02 PM To: [EMAIL PROTECTED] Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com
RE: [ActiveDir] suggestions for OU delegation information sources
Shhhweet! -Original Message- From: Robbie Allen [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 9:19 AM To: '[EMAIL PROTECTED]' Late September or early October. The content is pretty much done now except for some final tech reviews (you know who you are :), but O'Reilly needs a full three months with it because it is going to be a 650-750 page book. Robbie Allen http://www.rallenhome.com/ -Original Message- From: Hutchins, Mike [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 9:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Anyone know when the AD cookbook is coming out? -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 6:35 AM To: '[EMAIL PROTECTED]' I'm slowly working on something like that over here: http://www.wiredeuclid.com/modules.php?op=modloadname=booksf ile=index Its by no means complete, but its slowly getting flushed out a bit. Of course, it probably shouldn't be running on a FreeBSD/Apache/PHP combination, though... ;) Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 20, 2003 8:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Yeah I will get on this bandwagon as well and say that the Cookbook is a good book. The format will really fit what a lot of AD Admins out there need when they think, You know I just need to do this or that, I wonder if it is in the cookbook? - Oh cool, here it is, with several different ways to do it... Sort of like TIMTOWTDI man, rock on, this Robbie guy must have a perl mindset But again, once you understand that one and are still hungry, get Managing Enterprise Active Directory Services. Then you will really be geared for some serious admin work (after your head stops spinning), then you go and find Gil's Active Directory Programming and have even more fun If it doesn't exist somewhere (I am not aware of it) we should build a web page with must have reading for AD with descriptions and what the paper or book or web page is aimed at (dev or admin or quick howto or ?) and ratings or something. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Friday, June 20, 2003 7:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources You might indeed have to wait for Robbie's Cookbook, but you can pre-order at Amazon: http://www.amazon.com/exec/obidos/ASIN/0596004648/qid=10558547 21/sr=2-1/ ref=sr_2_1/104-1580686-2322327 I've seen it and I think Robbie's done a fantastic job. Tony -- Original Message -- Wrom: MHVIBGDADRZFSQHYUCDDJBLVLM Reply-To: [EMAIL PROTECTED] Date: Thu, 19 Jun 2003 22:07:06 -0700 Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) I thought Robbie's stuff went with out saying :-] These are the books that never make it to my bookshelfs, they stay either _on_ my desk or in the car, that's as high of a tribute as I can pay to any book. In all honesty, I must admit to being veyy envious of Rick and Joe who have already seen Robbie's new book. The rest of us mere mortals must wait till it's published. I knew I should have kissed up to Robbie at DEC more VBG -Original Message- Wrom: HAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSN Sent: Thursday, June 19, 2003 7:14 PM To: [EMAIL PROTECTED] Anyone that doesn't have this book is really, REALLY missing out on a true great book on AD. This book has detailed subjects that most other authors have not drilled into as well. Plus, the illustrations that they use (visually) are great. Robbie - your update to the AD book is wonderful. But, these two Finns did a GREAT job with a book that is absolutely phenominal on what it covers. And, it covers it very well. Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- Wrom: BOHMKHJYFMYXOEAIJJPHSCRTNHGSWZIDRE [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 5:02 PM To: [EMAIL PROTECTED] Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't
[ActiveDir] suggestions for OU delegation information sources
Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could borrow from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] suggestions for OU delegation information sources
Bob: I agree on the book recommendation. Chapter 4 is a virtual mountain of good info. For the more involved/intense AD Admin I would also point out and recommend Managing Enterprise Active Directory Services (Robbie Allen/Richard Puckett Addison Wesley Publishing). That book will probably fly over the head of most AD Admins out there but the info is really good, I especially was impressed on the section on SDDLs. If they only could have had a few chapters on Exchange 2K integration and how to make it less painful... :oP Michael what specific things are you looking to delegate? As a general rule I avoid the GUI's as the command line is generally much more efficient and people are more consistent when they run scripts than when they do things in the GUI. With GUI I think ad hoc and you don't admin AD ad hoc or at least you don't do it for long or else it will bite you. Anyway if you give specifics of things you are looking for, people on the list could recommend how to do it, etc. Such as how to delegate unlock capability to the HelpDesk group on the users OU of domain.com dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:RPWP;lockoutTime;user Or reset password to the same group on the same OU dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:CA;Reset Password;user Obviously the more delegation you do that fits patterns the better the scripts pay off for you in terms of save time realized and consistency of configuration. You can wrap dsacls into a script or you can actually call and modify the security descriptores directly. Writing scripts to do this stuff at the command line usually starts giving benefits of side tools that will let you do ACL audits and such a little easier as well and best of all puts things in formats that you want and can be set up to take advantage of things you know are set up in specific ways in your environment. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 6:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could borrow from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] suggestions for OU delegation information sources
If they only could have had a few chapters on Exchange 2K integration and how to make it less painful... :oP Oh, you are NOT EVEN gonna get this started again! Huh-uh! ;-D Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, June 19, 2003 8:00 PM To: [EMAIL PROTECTED] Bob: I agree on the book recommendation. Chapter 4 is a virtual mountain of good info. For the more involved/intense AD Admin I would also point out and recommend Managing Enterprise Active Directory Services (Robbie Allen/Richard Puckett Addison Wesley Publishing). That book will probably fly over the head of most AD Admins out there but the info is really good, I especially was impressed on the section on SDDLs. If they only could have had a few chapters on Exchange 2K integration and how to make it less painful... :oP Michael what specific things are you looking to delegate? As a general rule I avoid the GUI's as the command line is generally much more efficient and people are more consistent when they run scripts than when they do things in the GUI. With GUI I think ad hoc and you don't admin AD ad hoc or at least you don't do it for long or else it will bite you. Anyway if you give specifics of things you are looking for, people on the list could recommend how to do it, etc. Such as how to delegate unlock capability to the HelpDesk group on the users OU of domain.com dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:RPWP;lockoutTime;user Or reset password to the same group on the same OU dsacls CN=Users,DC=domain,DC=com /I:S /G Domain\HelpDesk:CA;Reset Password;user Obviously the more delegation you do that fits patterns the better the scripts pay off for you in terms of save time realized and consistency of configuration. You can wrap dsacls into a script or you can actually call and modify the security descriptores directly. Writing scripts to do this stuff at the command line usually starts giving benefits of side tools that will let you do ACL audits and such a little easier as well and best of all puts things in formats that you want and can be set up to take advantage of things you know are set up in specific ways in your environment. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 6:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] suggestions for OU delegation information sources Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could borrow from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] suggestions for OU delegation information sources
Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) I thought Robbie's stuff went with out saying :-] These are the books that never make it to my bookshelfs, they stay either _on_ my desk or in the car, that's as high of a tribute as I can pay to any book. In all honesty, I must admit to being veyy envious of Rick and Joe who have already seen Robbie's new book. The rest of us mere mortals must wait till it's published. I knew I should have kissed up to Robbie at DEC more VBG -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 7:14 PM To: [EMAIL PROTECTED] Anyone that doesn't have this book is really, REALLY missing out on a true great book on AD. This book has detailed subjects that most other authors have not drilled into as well. Plus, the illustrations that they use (visually) are great. Robbie - your update to the AD book is wonderful. But, these two Finns did a GREAT job with a book that is absolutely phenominal on what it covers. And, it covers it very well. Bob is right - this is a must have on your shelf (along with Robbie's book(s), of course!) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 19, 2003 5:02 PM To: [EMAIL PROTECTED] Some of the better coverage I've seen of the subject is in Chapter 4 of Inside Active Directory: A System Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti and Mike Seitsonen If you don't have the book (highly recommended BTW) MS published that particular chapter on TechNet. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to flesh out our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a control freak, I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could borrow from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/