Delegating administrative tasks

If you have created at least one zone, you can give other users and groups permission to perform specific types of administrative tasks within that zone. For example, assume you have created a new zone called Finance and you want to give the users who access computers in this zone the permissions required to perform certain kinds of tasks based on their role. You can accomplish this goal by selecting a group or users, then assigning that group or user one or more tasks. For example, in the Finance zone, you might want to delegate administrative tasks like this:

  • The members of the Active Directory group FinanceITStaff are allowed to perform all administrative tasks in the Finance zone.
  • The members of the Active Directory group FinanceManagers are allowed to add, modify, and remove user and group profiles in the Finance zone.
  • The members of the Active Directory group FinanceUsers are allowed to join computers to the Finance zone, but perform no other tasks.
  • The Active Directory users jason.ellison and noah.stone are granted permission to manage role assignments in the Finance zone.

In most cases, each zone should have at least one Active Directory group that can be delegated to perform all administrative tasks, so that members of that group can manage their own zone. You are not required to create or use a zone administrator group for every zone. However, assigning the management of each zone to a specific user or group creates a natural separation of duties for administrative tasks.

If you delegate control for individual tasks—for example, by assigning only the join computers task to one group and only the add and remove users tasks to another—you should ensure the members of each group know the tasks they are assigned.

You can delegate administrative tasks for parent zones, for child zones, and for individual computers. Because computer-level overrides are essentially single computer zones, you can assign administrative tasks to users and groups at the computer level.

What to do before delegating administrative tasks

Before you delegate administrative tasks for a zone, you must have created at least one zone. For each zone you create, you should also identify at least one user or group that can be delegated to perform all administrative tasks. For example, if you have a Finance zone, you might want to create a Finance Admins group in Active Directory, then delegate All tasks to that group so that members of that group can manage their own zone.

There are no other prerequisites for performing this task.

Rights required for this task

Only the user who creates a zone has full control over the zone and can delegate administrative tasks to other users and groups.

For information about the permissions set when you select different administrative tasks in the Zone Delegation Wizard, see the Planning and Deployment Guide.

Who should perform this task

The domain administrator who creates the zone is responsible for delegating administrative tasks to other users or groups, if necessary. Only the account used to create a zone has full control over the zone’s properties and permission to delegate administrative tasks to other users. The user who creates a zone is also the only user who can add NIS maps to the zone. The right to create NIS maps is exclusive to the creator of a zone because it requires permission to create containers in Active Directory. The zone creator can, however, grant other users permission to add, remove, or modify NIS map entries.

How often you should perform this task

In most organizations, you delegate administrative tasks any time you create a new zone. You also might change the delegation to change the either tasks assigned or the users and groups that have been assigned specific tasks periodically to address changes to your organization. For example, if an existing zone administrator takes over new responsibilities or leaves the organization, you might need to delegate additional tasks or select a different user or group to perform administrative tasks.

Steps for completing this task

The following instructions illustrate how to delegate zone administration tasks to a user, group, or computer using Access Manager. Examples of scripts that use the Access Module for Windows PowerShell, ADEdit, or the Centrify Windows API are available in other guides, the Centrify Software Developer’s Kit, or in community forums on the Centrify website.

To delegate administrative tasks to specific users and groups in a zone:

  1. Open Access Manager.
  2. Expand Zones and the individual parent or child zones required to select the zone name for which you want to delegate administrative tasks.
  3. Right-click, then click Delegate Zone Control.
  4. Click Add to find the users, groups, or computer accounts to which you want to delegate specific tasks.
  5. Select the type of account—User, Group, or Computer—to search for, type all or part of the account name, then click Find Now.
  6. Select one or more accounts from the list of results, then click OK.
  7. When you are finished adding users and groups to which you want to assign administrative tasks, click Next.
  8. Select the tasks you want to delegate to the user or group, then click Next.

    For example, if you want all of the members of the group you selected in the previous step to be able perform all administrative tasks for a zone, check the All task. To restrict the administrative tasks a user or group can perform, select only those specific tasks.

  9. Review your selections, then click Finish.

If you have delegate administrative tasks to one or more groups that have members logged on, you should notify the group members to log out and log back on before they attempt to perform the administrative tasks assigned to the group.