Skip to content

How to Delegate Controls of an Organizational Unit to Any Domain User or Group in Windows Server 2003?

By Codrut Nistor

Posted in How-to, Windows-server-2003

There are times when administrators want to reduce their burden of managing some common tasks. This means that if an administrator manages the entire network which has several branches it is not possible for him to manage each and every Organizational unit in every branch. Therefore to reduce some of his overhead he may delegate some common privileges to a comparatively knowledgeable user of a branch. For example if in Phoenix branch user A is technically sound an administrator can grant some privileges to this user so that he may create delete and reset passwords for other user accounts in a particular Organizational unit. You can delegate Organizational unit controls to any user or group by following the steps given below:

  1. Log on to the domain controller with the administrative privileges.
  2. Click on Start button.
  3. From the start menu go to Administrative Tools and from the submenu click on Active Directory Users and Computers.
  4. Expand the domain name right click on the Organizational unit for which you want to delegate controls to any user and from the context menu click on Delegate Control.
  5. On Welcome to the Delegation of Control Wizard page click on Next button.
  6. On the Users or Groups page click on Add button.
  7. On the opened search box in Enter the object names to select text box type the name of the user or group to whom you want to dedicate the control of this Organizational unit and click on Check Names button.
  8. Once verified click on Ok button.
  9. Back on Users or Groups page click on Next button.
  10. On Tasks to Delegate page check the checkboxes of the tasks that you want to delegate to the selected user or group and click on Next button.
  11. On Completing the Delegation of Control Wizard page click on Finish button.

More Info:

If the user to whom you have delegated the task uses any client operating system (Windows XP or Windows 7) you need to install Adminpak.msi on that client operating system. This application installs administrative snap-ins like DNS or ADUC which are normally not available on any client operating system. You can find Adminpak.msi at C:WindowsSystem32 path on Windows Server 2003. Alternatively you can download it from the Microsoft’s official website for free.