Microsoft KB Archive/308404

= How to customize the task list in the Delegation Wizard =

Article ID: 308404

Article Last Modified on 6/25/2005

-

APPLIES TO


 * Microsoft Windows 2000 Server

-



This article was previously published under Q308404





SUMMARY
This article describes how to customize the Delegation Wizard by editing the Delegwiz.inf file.



MORE INFORMATION
The Delegation Wizard allows administrators to delegate control of objects or containers to other users. This wizard is available on Windows 2000 domain controllers and servers.

The Delegation Wizard is used to set the required Active Directory access permissions on objects to give users various levels of control. The Delegation Wizard simplifies the process of granting object access to a user or group by allowing the administrator to select from a previously defined set of tasks that can be delegated. The list of tasks that can be delegated through the Delegation Wizard is maintained in a file called Delegwiz.inf, which is created in the \Inf folder. Administrators can modify this file to add or delete items from the list of delegatable tasks.

Adding a task
To add a task to the Delegation Wizard, you must create a task template by using the following syntax in the Delegwiz.inf file:

;- [template1] AppliesToClasses=

Description = &quot;&quot;

ObjectTypes = 

[template1.SCOPE] 

[template1.Obj1] 

[template1.Obj2] 

[template1.Obj3] 

The permission entries for the &quot;SCOPE&quot; object type are used to control the security on the container itself.

Each list of permission entries must contain one or more of the following permission specifiers:

RP - Read permissions

WP - Write Permissions

CC - Create Child

DC - Delete Child

GA - Generic All (Full Control)

Permissions can be specified using one of the following four syntaxes:  @= Sets a standard ACE on the object. This means all properties of the object will have the permissions set here. </li> <li><pre class="fixed_text">propertyName= Sets the specified permissions on the property with the specified LDAP display Name. This syntax is used when different properties of an object need to have different permissions. </li> <li><pre class="fixed_text">objectType= Sets the specified permissions on the object with the specified LDAP display name. This syntax is used when different objects within the container object need to have different permissions. </li> <li><pre class="fixed_text">CONTROLRIGHT= Grants the specified Access Control Right to the user for the specified object type. </li></ul>

Sample templates
The two sample templates below demonstrate the above syntaxes. These templates came from the standard Delegwiz.inf file.

Template10 sample
The following template applies to domain organizational unit (OU) container objects, so it will appear when Delegation Wizard is run from the properties of Domain or OU objects. It will apply access changes to itself (SCOPE) and to inetorgperson objects. The changes it applies to itself are CC (create child) and DC (delete child) access. The changes it applies to inetorgperson within the specified container are GA (full control).

<pre class="fixed_text">;- [template10] AppliesToClasses=domainDns,organizationalUnit,container

Description = &quot;Create, delete, and manage inetorgperson accounts&quot;

ObjectTypes = SCOPE, inetorgperson

[template10.SCOPE] inetorgperson=CC,DC

[template10.inetorgperson] @=GA

Template11 sample
The following template applies to domain and OUs and will be displayed when Delegation Wizard is started from the property menu of those objects. This instructs Delegation Wizard to grant the specified user the &quot;Reset Password&quot; control, RP (read permissions), and WP (write permissions) to inetorgperson objects within the specified container.

<pre class="fixed_text">;- [template11] AppliesToClasses=domainDns,organizationalUnit,container

Description = &quot;Reset inetorgperson passwords and force password change at next logon&quot;

ObjectTypes = inetorgperson

[template11.inetorgperson] CONTROLRIGHT= &quot;Reset Password&quot; pwdLastSet=RP,WP

Keywords: kbhowto kbsecurity KB308404

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.