"Spin" <S***@spin.com> wrote in message
news:46v8d9Fd2rmmU1@individual.net...
> Experts,
>
> I want to delegate a bunch of junior admins to do stuff like add/remove
> computers to the domain, create/delete/disable user accounts but NOT be
> domain admins.  I know I have to use Delegation of Control.  But what icon
> do I right-click on to start the Delegation of Control Wizard?  And what
> options do I pick in the wizard to get these options?
>
> --
> Spin
>
>

"Spin" <S***@spin.com> wrote in message
news:46v8d9Fd2rmmU1@individual.net...
> Experts,
>
> I want to delegate a bunch of junior admins to do stuff like add/remove
> computers to the domain, create/delete/disable user accounts but NOT be
> domain admins.  I know I have to use Delegation of Control.  But what icon
> do I right-click on to start the Delegation of Control Wizard?  And what
> options do I pick in the wizard to get these options?
>
> --
> Spin
>
>

message news:ukA7GiNQGHA.5092@TK2MSFTNGP11.phx.gbl...
> In news:e1kuz3IQGHA.564@TK2MSFTNGP12.phx.gbl,
> Cary Shultz <cwshu***@mvps.org> stated, which I commented on below:
>> Spin,
>>
>> In addition to what PaulW has stated....
>>
>> Please note that if you do use the Delegation Wizard there is really
>> no place where you can look to see what things you have changed other
>> than the objects themselves.  In other words, there is no 'report'
>> that is created when you use the Delegation Wizard.  You will really
>> need to document this so that you will know exactly who (better to
>> use groups than user account objects) has been given what!
>
> Excellent point, Cary.
>
> I would like to add, there is no "undelegate" wizard. So if a delegated
> user were to change their job and were to be moved to a different OU,
> (assuming the delegated user was picked out of the OU they are to
> delegate), their permissions still remain and they can still alter
> objects. One would need to go into the Security tab of the OU (Adv View)
> to manually remove them.
>
> Just an FYI, when I demo delegations in a classroom setting by picking a
> user in a specific OU, I would then move the delegated user to a different
> OU. I will then ask the class if the delegated user I just moved still has
> control in the OU I just moved them from. Surprisingly, about 75% or more
> think they no longer have permissions to that OU because I moved them, and
> the class usually consists of current AD network administrators or IT
> managers.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Having difficulty reading or finding responses to your post?
> Instead of the website you're using, I suggest to use OEx (Outlook Express
> or any other newsreader), and configure a news account, pointing to
> news.microsoft.com. This is a direct link to the Microsoft Public
> Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows
> you to easily find, track threads, cross-post, sort by date, poster's
> name, watched threads or subject.
>
> It's easy:
> How to Configure OEx for Internet News
> http://support.microsoft.com/?id=171164
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Assimilation Imminent. Resistance is Futile
> Infinite Diversities in Infinite Combinations
>
> "Very funny Scotty.  Now, beam down my clothes."
>
> The only thing in life is change. Anything more is a blackhole consuming
> unnecessary energy.
>
>
>
>

"kj" <k*@nowhere.com> wrote in message
news:uwkJa1NQGHA.532@TK2MSFTNGP15.phx.gbl...
> DSREVOKE can document (/report) the delegations to domain objects and OU's
> and also "revoke" them (genrally).
>
> It's not a "wizard" by any means, unless you compare it to searching and
> documenting by hand.
>
> --
> /kj
> "Ace Fekay [MVP]"
> <PleaseSubstituteMyActualFirstName&LastNameH***@hotmail.com> wrote in
> message news:ukA7GiNQGHA.5092@TK2MSFTNGP11.phx.gbl...
>> In news:e1kuz3IQGHA.564@TK2MSFTNGP12.phx.gbl,
>> Cary Shultz <cwshu***@mvps.org> stated, which I commented on below:
>>> Spin,
>>>
>>> In addition to what PaulW has stated....
>>>
>>> Please note that if you do use the Delegation Wizard there is really
>>> no place where you can look to see what things you have changed other
>>> than the objects themselves.  In other words, there is no 'report'
>>> that is created when you use the Delegation Wizard.  You will really
>>> need to document this so that you will know exactly who (better to
>>> use groups than user account objects) has been given what!
>>
>> Excellent point, Cary.
>>
>> I would like to add, there is no "undelegate" wizard. So if a delegated
>> user were to change their job and were to be moved to a different OU,
>> (assuming the delegated user was picked out of the OU they are to
>> delegate), their permissions still remain and they can still alter
>> objects. One would need to go into the Security tab of the OU (Adv View)
>> to manually remove them.
>>
>> Just an FYI, when I demo delegations in a classroom setting by picking a
>> user in a specific OU, I would then move the delegated user to a
>> different OU. I will then ask the class if the delegated user I just
>> moved still has control in the OU I just moved them from. Surprisingly,
>> about 75% or more think they no longer have permissions to that OU
>> because I moved them, and the class usually consists of current AD
>> network administrators or IT managers.
>>
>> --
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Having difficulty reading or finding responses to your post?
>> Instead of the website you're using, I suggest to use OEx (Outlook
>> Express or any other newsreader), and configure a news account, pointing
>> to news.microsoft.com. This is a direct link to the Microsoft Public
>> Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows
>> you to easily find, track threads, cross-post, sort by date, poster's
>> name, watched threads or subject.
>>
>> It's easy:
>> How to Configure OEx for Internet News
>> http://support.microsoft.com/?id=171164
>>
>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
>> Microsoft MVP - Directory Services
>> Microsoft Certified Trainer
>>
>> Assimilation Imminent. Resistance is Futile
>> Infinite Diversities in Infinite Combinations
>>
>> "Very funny Scotty.  Now, beam down my clothes."
>>
>> The only thing in life is change. Anything more is a blackhole consuming
>> unnecessary energy.
>>
>>
>>
>>
>
>

"Cary Shultz" <cwshu***@mvps.org> wrote in message
news:%23z6JfLQQGHA.3848@TK2MSFTNGP12.phx.gbl...
> Dang it!
>
> KJ, you have posted that once.  I forgot about that.  Thank you for
> 'reminding' me!
>
> --
> Cary W. Shultz
> Roanoke, VA  24012
>
> "kj" <k*@nowhere.com> wrote in message
> news:uwkJa1NQGHA.532@TK2MSFTNGP15.phx.gbl...
>> DSREVOKE can document (/report) the delegations to domain objects and
>> OU's and also "revoke" them (genrally).
>>
>> It's not a "wizard" by any means, unless you compare it to searching and
>> documenting by hand.
>>
>> --
>> /kj
>> "Ace Fekay [MVP]"
>> <PleaseSubstituteMyActualFirstName&LastNameH***@hotmail.com> wrote in
>> message news:ukA7GiNQGHA.5092@TK2MSFTNGP11.phx.gbl...
>>> In news:e1kuz3IQGHA.564@TK2MSFTNGP12.phx.gbl,
>>> Cary Shultz <cwshu***@mvps.org> stated, which I commented on below:
>>>> Spin,
>>>>
>>>> In addition to what PaulW has stated....
>>>>
>>>> Please note that if you do use the Delegation Wizard there is really
>>>> no place where you can look to see what things you have changed other
>>>> than the objects themselves.  In other words, there is no 'report'
>>>> that is created when you use the Delegation Wizard.  You will really
>>>> need to document this so that you will know exactly who (better to
>>>> use groups than user account objects) has been given what!
>>>
>>> Excellent point, Cary.
>>>
>>> I would like to add, there is no "undelegate" wizard. So if a delegated
>>> user were to change their job and were to be moved to a different OU,
>>> (assuming the delegated user was picked out of the OU they are to
>>> delegate), their permissions still remain and they can still alter
>>> objects. One would need to go into the Security tab of the OU (Adv View)
>>> to manually remove them.
>>>
>>> Just an FYI, when I demo delegations in a classroom setting by picking a
>>> user in a specific OU, I would then move the delegated user to a
>>> different OU. I will then ask the class if the delegated user I just
>>> moved still has control in the OU I just moved them from. Surprisingly,
>>> about 75% or more think they no longer have permissions to that OU
>>> because I moved them, and the class usually consists of current AD
>>> network administrators or IT managers.
>>>
>>> --
>>> Ace
>>>
>>> This posting is provided "AS-IS" with no warranties or guarantees and
>>> confers no rights.
>>>
>>> Having difficulty reading or finding responses to your post?
>>> Instead of the website you're using, I suggest to use OEx (Outlook
>>> Express or any other newsreader), and configure a news account, pointing
>>> to news.microsoft.com. This is a direct link to the Microsoft Public
>>> Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows
>>> you to easily find, track threads, cross-post, sort by date, poster's
>>> name, watched threads or subject.
>>>
>>> It's easy:
>>> How to Configure OEx for Internet News
>>> http://support.microsoft.com/?id=171164
>>>
>>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
>>> Microsoft MVP - Directory Services
>>> Microsoft Certified Trainer
>>>
>>> Assimilation Imminent. Resistance is Futile
>>> Infinite Diversities in Infinite Combinations
>>>
>>> "Very funny Scotty.  Now, beam down my clothes."
>>>
>>> The only thing in life is change. Anything more is a blackhole consuming
>>> unnecessary energy.
>>>
>>>
>>>
>>>
>>
>>
>
>