How to customize the task list in the Delegation Wizard (308404)


The information in this article applies to:

  • Microsoft Windows 2000 Server
This article was previously published under Q308404

SUMMARY

This article describes how to customize the Delegation Wizard by editing the Delegwiz.inf file.

MORE INFORMATION

The Delegation Wizard allows administrators to delegate control of objects or containers to other users. This wizard is available on Windows 2000 domain controllers and servers.

The Delegation Wizard is used to set the required Active Directory access permissions on objects to give users various levels of control. The Delegation Wizard simplifies the process of granting object access to a user or group by allowing the administrator to select from a previously defined set of tasks that can be delegated. The list of tasks that can be delegated through the Delegation Wizard is maintained in a file called Delegwiz.inf, which is created in the <Windows installation directory>\Inf folder. Administrators can modify this file to add or delete items from the list of delegatable tasks.

Adding a task

To add a task to the Delegation Wizard, you must create a task template by using the following syntax in the Delegwiz.inf file: 

;--------------------------------------------------------- 
[template1]
AppliesToClasses=<comma delimited list of object types to which this
template applies; for example, if "organizationalUnit" is in the list,
this template will be shown when the Delegation Wizard is invoked on
an OU>

Description = "<task description which will appear in the wizard>"

ObjectTypes = <comma delimited list of object types whose permissions
will be adjusted; for example, "ObjectTypes = SCOPE,Obj1,Obj2,Obj3">

[template1.SCOPE]
<Permission entries for Scope>

[template1.Obj1]
<Permission entries for Obj1>

[template1.Obj2]
<permission entries for Obj2>

[template1.Obj3]
<permission entries for Obj3>
;---------------------------------------------------------

The permission entries for the "SCOPE" object type are used to control the security on the container itself.

Each list of permission entries must contain one or more of the following permission specifiers:

RP - Read permissions
WP - Write Permissions
CC - Create Child
DC - Delete Child
GA - Generic All (Full Control)

Permissions can be specified using one of the following four syntaxes: 
  • @= <permission specifiers>
    Sets a standard ACE on the object. This means all properties of the object will have the permissions set here.
  • propertyName= <permission specifiers>
    Sets the specified permissions on the property with the specified LDAP display Name. This syntax is used when different properties of an object need to have different permissions.
  • objectType= <permission specifiers>
    Sets the specified permissions on the object with the specified LDAP display name. This syntax is used when different objects within the container object need to have different permissions.
  • CONTROLRIGHT= <ctrl rights display name>
    Grants the specified Access Control Right to the user for the specified object type.

Sample templates

The two sample templates below demonstrate the above syntaxes. These templates came from the standard Delegwiz.inf file.

Template10 sample

The following template applies to domain organizational unit (OU) container objects, so it will appear when Delegation Wizard is run from the properties of Domain or OU objects. It will apply access changes to itself (SCOPE) and to inetorgperson objects. The changes it applies to itself are CC (create child) and DC (delete child) access. The changes it applies to inetorgperson within the specified container are GA (full control). 

;---------------------------------------------------------
[template10]
AppliesToClasses=domainDns,organizationalUnit,container

Description = "Create, delete, and manage inetorgperson accounts"

ObjectTypes = SCOPE, inetorgperson

[template10.SCOPE]
inetorgperson=CC,DC

[template10.inetorgperson]
@=GA
;---------------------------------------------------------

Template11 sample

The following template applies to domain and OUs and will be displayed when Delegation Wizard is started from the property menu of those objects. This instructs Delegation Wizard to grant the specified user the "Reset Password" control, RP (read permissions), and WP (write permissions) to inetorgperson objects within the specified container. 

;---------------------------------------------------------
[template11]
AppliesToClasses=domainDns,organizationalUnit,container

Description = "Reset inetorgperson passwords and force password change at next logon"

ObjectTypes = inetorgperson

[template11.inetorgperson]
CONTROLRIGHT= "Reset Password"
pwdLastSet=RP,WP
;----------------------------------------------------------

Modification Type:MinorLast Reviewed:6/25/2005
Keywords:kbhowto kbSecurity KB308404 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.