Microsoft KB Archive/229873

= Delegate Control Wizard Cannot Be Used to Remove Groups or Users =

Article ID: 229873

Article Last Modified on 2/23/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q229873



SUMMARY
In Windows 2000, users or groups can be granted administrative privileges over containers and the objects within those containers. Although this can be performed by modifying the permissions on the container, Windows 2000 includes the Delegate Control Wizard to automate the task. Note, however, that although the Delegate Control Wizard can be used to grant users and groups administrative privileges over containers and the objects within them, it cannot be used to remove those privileges. Removal must be accomplished manually.



MORE INFORMATION
To delegate control on a container:  Start the Active Directory Users and Computers snap-in. Right-click a domain or organizational unit, and then click Delegate Control. Finish the wizard by selecting the users or groups and granting the appropriate permissions. The following permissions are predefined and can be granted singly or in any combination:

 Create, delete, and manage user accounts Reset password on a user account Read all user information Modify the membership of a group</li> Manage published printer queues</li></ul>

Or, custom permissions can be used to delegate more specific control.</li></ol>

When you are adding users or groups, you cannot use the Delete button to remove a user or group from the delegated permissions once the wizard has been run. This button can only be used to correct mistakes during the delegation process.

If a user or group must be removed from the delegated permissions:
 * 1) Start the Active Directory Users and Computers snap-in.
 * 2) On the View menu, click Advanced. This enables the Security tab.
 * 3) Right-click the container from which the permissions will be removed, and then click Properties.
 * 4) Click the Security tab.
 * 5) Remove the appropriate users or groups.

NOTE: Rather than removing users and groups, these same steps can be used to modify the delegated permissions. By default, all child objects in the container inherit the permissions set on the container.

Keywords: kbenv kbinfo KB229873

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.