Another great feature of Server 2008, is how the Delegation of Control Wizard simplifies adding rights for common tasks to groups or administrators. We’re going to say that we’ve just started building our network, and we’d like to give our Helpdesk admins the ability to reset passwords for people. Since we don’t want the Helpdesk modifying other parts of our domain, we want to restrict their access rights to only that task, for the time being. The simplest way is to use the Delegation of Control Wizard, so we’ll start by going to our Administrative Tools and opening the Active Directory Users and Computers snap-in. Once we expand our domain, we’ll go down to the OU that holds our Helpdesk group, right-click on it, and choose Delegate Control.   The wonderful welcome screen of the Delegation Wizard pops up, and we click Next.

sshot-2009-12-12-04-10-54

We need to add our Helpdesk, so we click Add.

sshot-2009-12-12-04-11-02

We type in the name of our group, helpdesk, and then click the Check Names button. Once it finds them in AD, the name will display fully, and we can click the OK button.  

sshot-2009-12-13-04-56-41

Once it shows up in our list of selected users and groups, we’ll move forwards by clicking the Next button again.  

sshot-2009-12-13-04-56-52

Now we get to the real power of the Delegation of Control Wizard. The wizard lists out the most commonly used tasks to delegate control for, but also allows you to add some of the more obscure rights as well through the Create a custom task to delegate option. Since we just want to give our helpdesk admins the right to reset passwords, we’ll choose that one from the list and click Next.

sshot-2009-12-12-04-12-16

Next we’ll get a summary of all the controls we are about to delegate. It’s always a good idea to browse over this, just to make sure you didn’t accidentally check one of the wrong boxes by accident. Once we’re certain that everything looks good, we click the Finish button.  

sshot-2009-12-13-04-57-07

To verify what rights we’ve just delegated, we open a command prompt and type in dsacls.exe “ou=People,dc=sysadmingeek,dc=com”

sshot-2009-12-12-04-22-31

We can now see the rights listed out, and how those rights are inherited by our helpdesk admin, Susan Doe.  

sshot-2009-12-12-04-21-08

This was just a brief glimpse of the Delegation Wizard, and you can use it much more in depth than we’ve shown to get more specific with user and group controls.