Monday, August 24, 2009

Extend the AD Delegation Control Wizard

I often see questions in the newsgroups about wanting to delegate control of AD. An example of this would be to delegate control of an OU for example.

Delegation is important because you don't want to just give any "admin" user domain admin rights. They key is to try and limit domain admin and other elevated rights.

There is a delegation of control wizard that is started by right clicking on the OU (I'll be using an OU for this entire blog entry example)and selecting Delegate Control



When you run the wizard you get 11 choices by default at the OU level:





Where does this list of tasks come from and can it be extended?

That list is built from a file called delegwiz.inf That file is located in the \Inf folder. In my case it is in c:\windows\inf.

That file can be modified and Microsoft has a great article that gives you a new file to use and outlines the steps required to make the modifications. That is part of their Best Practices for Active Directory Administration: Appendices

For this blog entry we will specifically use:

Appendix O: Active Directory Delegation Wizard File

As you can see in Appendix O, you copy the contents to notepad and you will replace the current delegwiz.inf file with your new file. As they point out make sure to backup your current file.

After you make the changes you will now notice that you have many more choices compared to the original 11 you got by default.



There are also more advanced ways to delegate control in AD and there are some good third party tools that are also good. Some of those methods will be covered in future blog posts.

5 comments:

  1. Apropos post with Jorge's post on "Attributes names in AD and how they are displayed" from yesterday, this coincides with a comment he received on his.

    ReplyDelete
  2. Great post Mike and reference to read from MS.

    ReplyDelete
  3. On 2008 R2 I noticed this delegwiz.inf in both windows\system32 and windows\syswow64 but not in windows\inf. Does it need to be changed in both or one copied into windows\inf? What if there are multiple DCs? Does it need to be changed in all three?

    ReplyDelete
  4. Yes it would have to be changed in all three if you wanted the custom delegation control wizard. I haven't tested on 2008 R2. That might be a future blog entry. Thanks a lot for coming by and commenting.

    ReplyDelete
  5. Thanks I was inquiring to try and work around this issue:

    https://msmvps.com/blogs/acefekay/archive/2012/02/07/active-directory-server-2008-r2-you-do-not-have-permission-to-modify-the-group.aspx

    ReplyDelete