© 2024 SkillPoint IT. All rights reserved.
Module 6: Delegating Administrative Control in Active Directory
Delegation is a core concept in Active Directory (AD) that allows organizations to distribute administrative tasks safely. Instead of granting full Domain Admin rights, you can assign specific permissions to manage users, groups, or organizational units (OUs) — improving efficiency and security.
Object Security in Active Directory
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
- Active Directory Security Components
- Security Principals
- User, security group, service, and computer
- Identified by a unique ID
- Security Identifiers (SIDs)
- Uniquely identify security principals
- Are never reused
- Security Descriptors
- Security information associated with an object
- Contains DACLs and SACLs
- Discretionary and System Access Control Lists
- Discretionary and System Access Control Lists
- Identifies the security principals that are allowed or denied
- access, and the level of access being allowed or denied System Access Control List (SACL)
- Controls how object access will be audited
- Access Control Entries
- Used in a DACL to deny access
- Used in a DACL to allow access
- Used in a DACL to deny or allow access to a property or property set or to limit inheritance to a specified type of child object
- Inheritance
- Eliminates the need to manually apply permissions to child objects
- Ensures that the permissions applied to a parent object are applied consistently to all child objects
- Ensures that when permissions on all objects within a container need to be changed, you only need to change the permissions on the parent object
- Ensures that when ACEs are directly applied to Active Directory objects, the ACEs override any conflicting inherited ACEs
- The Logon Process
- User Logs On
- Local Security Subsystem Obtains a Ticket for the User
- Local Security Subsystem Requests a Workstation Ticket
- Kerberos Service Sends a Workstation Ticket
- Local Security Subsystem Constructs an Access Token
- Access Token Is Attached to the User’s Process
- Access Tokens
- Are created during the logon process and used whenever a user attempts to gain access to an object
- Contain a SID, a unique identifier used to represent a user or a group
- Contain Group ID, a list of the groups to which a user belongs
- Contain user rights, the privileges of a User
- How Windows 2012 Grants Access to Resources
Controlling Access to Active Directory Objects
Access control in Active Directory (AD) is critical to maintaining a secure and well-governed network environment. By defining precise permissions, administrators can control who can view, modify, or manage various directory objects like users, groups, computers, and organizational units (OUs).
Key Concepts in AD Access Control
1. Active Directory Objects
Common objects include:
Users
Groups
Computers
OUs (Organizational Units)
Group Policy Objects (GPOs)
Each object has a security descriptor that contains permissions.
2. Access Control Lists (ACLs)
ACLs define which security principals (users or groups) can perform actions on an object.
Discretionary Access Control List (DACL): Grants or denies permissions.
System Access Control List (SACL): Used for auditing access events.
How to Control Access
1. Using Active Directory Users and Computers (ADUC):
Right-click the object (e.g., OU) → Properties
Go to Security tab
Add or edit permissions for users or groups
Click Advanced for granular control and inheritance settings
2. Common Permission Types:
| Permission | Action |
|---|---|
| Read | View object and attributes |
| Write | Modify object properties |
| Create/Delete | Add or remove objects in a container |
| Reset Password | Allows password change/reset |
| Full Control | All actions (use with caution) |
- Active Directory Permissions
- Can be allowed or denied
- Can be implicitly or explicitly denied
- Can be set as standard or special permission
- Controlling Inheritance of Permissions
- Objects Inherit Permissions That Exist at the Time of Creation
- Inheritance of Permissions Can Be Blocked
- Copy previously inherited permissions to the object
- Remove previously inherited permissions from the object
- Setting Active Directory Permissions
- Object Ownership
- Every Object Has an Owner
- The Owner Controls How Permissions Are Set on an Object, and to Whom Permissions Are Assigned
- If a Member of the Administrators Group Takes Ownership, the Default Owner Is the Group, Not the Individual User
- Changing Object Ownership
- The current owner assigns the Modify Ownership permission to other users
- Members of the Domain Admins group take ownership of any object in the domain
Delegating Administrative Control of Active Directory Objects
What Is Delegation of Control?
Delegation allows a user or group to perform administrative tasks (e.g., resetting passwords, creating users) within a defined scope, such as an OU, without giving full domain-wide access.
Why Delegate Control?
✅ Improve security by enforcing least privilege.
✅ Allow department-level autonomy (e.g., HR can manage HR users).
✅ Reduce workload on central IT.
✅ Avoid unnecessary Domain Admin privileges.
How to Delegate Control in Active Directory
Open Active Directory Users and Computers (ADUC).
Right-click the desired OU → Select Delegate Control.
Click Next → Select the user or group to delegate.
Choose from common tasks or select custom tasks.
Example: “Create, delete, and manage user accounts”
Review summary → Click Finish.
🎯 Tip: Always delegate at the OU level, not at the domain root.
- Overview of Delegating Administrative Control
- Changing properties on a particular container unit
- Creating and deleting objects of a specific type under an organizational unit
- Updating specific properties on objects of a specific type under an organizational
- Using the Delegation of Control Wizard
- Start the Delegation of Control Wizard
- Select Users or Groups to Which to Delegate Control
- Assign Tasks to Delegate
- Select Active Directory Object Type
- Assign Permissions to Users or Groups
- Guidelines for Delegating Administrative Control
- Objects Inherit Permissions That Exist at the Time of Creation
- Use the Delegation of Control Wizard
- Track the Delegation of Permission Assignments
- Follow Organizational Guidelines for Delegating Control
Customizing MMC Consoles in Windows Server for Efficient Administration
The Microsoft Management Console (MMC) is a powerful Windows administration tool that allows IT professionals to manage system settings, services, and Active Directory components through modular “snap-ins.” Customizing MMC helps streamline daily tasks and delegate management safely.
What Is an MMC Console?
An MMC console is a unified administrative interface where you can add multiple snap-ins like:
Active Directory Users and Computers (ADUC)
Group Policy Management
DNS Management
Event Viewer
Device Manager
Why Customize MMC?
Benefits of customizing MMC:
Create role-based consoles for helpdesk or junior admins
Limit access to specific tools
Improve efficiency with centralized tools
Reduce errors by hiding irrelevant options
How to Create a Custom MMC Console
Step-by-Step:
Press
Win + R, typemmc, and press Enter.Go to File > Add/Remove Snap-in.
Choose the required snap-ins (e.g., ADUC, DNS, etc.) and click Add.
Select the target computer (local or remote).
Once added, click OK.
Arrange snap-ins in the left pane for easy navigation.
Go to File > Save As and name your console (e.g.,
HR_AdminTools.msc).
- Creating Customized MMC Consoles
- Open MMC
- Add and configure the required snap-ins in the MMC console
- Configure the MMC console mode
- Configure the MMC console view
- Save the MMC console
- Distributing Customized MMC Consoles
- Installing Windows 2012 Snap-ins
- Are contained in Windows 2012 administrative tools
- Are required for remote administration from a client computer running Windows 2012 Professional
Setting Up Taskpads in MMC for Simplified Windows Server Management
Taskpads are custom views within Microsoft Management Console (MMC) that display icons or lists for frequently performed tasks. By setting up taskpads, system administrators can simplify complex operations, improve usability, and safely delegate routine tasks to helpdesk staff or junior admins.
What Is a Taskpad View?
A Taskpad View provides a customized panel inside MMC that:
Displays tasks as clickable buttons/icons
Can launch specific commands (like “Reset Password” or “Create User”)
Limits visibility to only allowed operations
Makes the MMC interface more intuitive
Why Use Taskpads?
Benefits:
Simplifies user interaction for non-technical staff
Reduces risk of accidental misconfigurations
Enables role-based task delegation
Improves efficiency for common tasks
How to Set Up a Taskpad in MMC
Step-by-Step Guide:
Press
Win + R, typemmc, and press Enter.Go to File > Add/Remove Snap-in, add tools like:
Active Directory Users and Computers
Group Policy Management
Event Viewer, etc.
Navigate to the item where you want to create a taskpad (e.g., a specific OU).
Right-click the item → Click New Taskpad View.
The Taskpad Wizard will launch:
Choose layout type: List, Vertical List, or No List
Optionally include a description
Set scope (this folder only or all subfolders)
After the wizard finishes, click Next to create specific tasks.
Creating Taskpad Tasks
After creating the taskpad view, you can add tasks:
Click Action > New Task
Choose:
Menu command (e.g., “New User”)
Shell command (run scripts or external apps)
Assign a label and optional icon
Add multiple tasks to the same view
Example Tasks:
Create a new user
Reset a password
Move user to a group
Launch a PowerShell script
Secure Your Taskpads
When saving the console:
Use User Mode – Limited Access to restrict what users can change.
Pair with delegated permissions to ensure task execution is within allowed scope.
Saving and Sharing Your Console
Go to File > Options → Set the console to User Mode.
Save as
.mscfile (e.g.,HelpdeskConsole.msc).Distribute via email, shared folder, or Group Policy shortcut.
- What Is a Taskpad?
- Is a Customized Administrative Tool
- Contains Tasks That Are Shortcuts to Specific Commands in an MMC Console
- Provides Advantages:
- Makes it easier for novice users to perform their jobs
- Makes complex tasks easier
- Creating and Configuring a Taskpad
- Create a customized MMC console
- Create a taskpad
- Configure a task in the taskpad
- Customize the taskpad view
- Adding Tasks in a Taskpad
- Each Task Is a Shortcut to a Command in the MMC Console
Best Practices
Use Deny Permissions Sparingly
Ensure That the Delegated User Completes the Delegated Tasks
Provide Training for Users Who Have Control of Objects
Add Frequently Used Customized Consoles to the Start Menu
Save Copies of Your Customized Consoles in a Shared Folder
Delegate to Groups and Add Specific Users to Those Groups
Add comment