2/6/2008 -- Delegation can come in handy when you want to assign specific rights to non-administrators so they can perform certain tasks in Active Directory.
If you've assigned an individual certain rights only to find later that the permissions have been revoked, it's most likely because that individual is a member of one of the protected built-in groups (such as Backup Operators, Server Operators, Domain Admins, etc.).
When you use the Delegation of Control Wizard to assign permissions to an account, the permissions are enforced once an hour by a special thread on the server that holds the PDC Emulator role in your domain. When you assign permissions to an individual who happens to be a member of one of the built-in protected groups and there's a conflict with the implicit permissions assigned to any member of the protected group, the delegated rights for the individual can get revoked within an hour.
There are two simple workarounds to this problem. The first is to make sure that there are no group membership conflicts. The second is to ensure that the individual in your IT department who's being delegated the rights isn't a member of one of the built-in protected groups.
You can create your own groups and then add him/her to the group. For example, if the user needs to be a member of the Backup Operators group, you can create your own IT Backup Operators group instead of using the built-in group. You can then make the user member of this group.
|