Delegation Day

February 15, 2008


We have a new call center coming up and one of the projects I'm working on is Active Directory Delegation. This would allow me to give supervisors and call center managers the ability to reset the passwords and unlock the accounts of their users without calling me or my guys. Here's some resources:

Here's Microsoft's .doc guide regarding delegation:

Best Practices for Delegating Active Directory Administration

This Microsoft article tells you how to delegate the Unlock Account Right. (2003 users, skip the part about editing the Dssec.dat file; 2003 has that already enabled, and the setting isn't even there anyways):

How To Delegate the Unlock Account Right

This MS article is more of a collection of other MS articles regarding delegation:

How to Delegate Basic Server Administration To Junior Administrators

When looking at using Active Directory Delegation for those non-technical, look at using Taskpads:

Making use of Active Directory Taskpads

(I'm only linking to one page of a pretty decent article, so check out the rest of it as well.)

This is the best taskpad article I've found:

How can I easily perform management operations in AD from a customized Taskpad?

This is a quick article of someone whom needed to Delegate Unlock Account rights and describes his fun. He has some vbs script code that integrates into the taskpad that will take the highlighted user, unlock them, and log who unlocked whom on a domain controller. I'm currently looking at using this, but at the moment I'm getting errors:

WindowsITPro, Unlock User Accounts


Jesse said...

Hi Seth,

Thanks for the helpful links on the various aspects of delegation.

While Microsoft's whitepaper on delegation is super helpful, one of the things not covered in that delegation paper is how to find out who is delegated what access in Active Directory, and that is an important piece of security.

As a SysAdmin, would love to hear your thoughts on whether you find that to be a problem too?

Thanks bro.