Delegating control of administrative tasks

If you are the creator of a parent or child zone, you can use the Access Manager console to give other users and groups permission to perform specific types of administrative tasks within each zone you create. For example, assume you have created a zone called Finance. Certain users or groups who access computers in that zone must be able to perform administrative tasks on their own without your help. You want to give them the permissions they require to accomplish specific tasks without turning over full control to anyone except your most trusted administrative staff. Using Access Manager and the Zone Delegation Wizard, you select the appropriate groups and users for the Finance zone and specify exactly what each do. For example:

  • Members of the group Finance-ITStaff are allowed to perform All administrative tasks within the Finance zone. They can change zone properties, join and remove computers from the zone, define rights and roles, and assign roles to users and groups. Only your most trusted administrative staff are members of this group.
  • Members of the group FinanceManagers are allowed to join and remove computers from the zone and assign roles to users and groups.
  • Members of the group FinanceUsers are allowed to add users, add groups, and join computers to the zone, but perform no other tasks.
  • The users jason.ellison and noah.stone have permission to remove computers from the zone.

In most cases, each zone should have at least one Active Directory group that can be delegated to perform all administrative tasks, so that members of that group can manage their own zone. You are not required to create or use a zone administrator group for every zone. However, assigning the management of each zone to a specific user or group creates a natural separation of duties for administrative tasks.

If you delegate control for individual tasks—for example, by assigning only the join computers task to one group and only the add and remove users tasks to another—you should ensure the members of each group know the tasks they are assigned.

You can delegate administrative tasks for parent zones, for child zones, and for individual computers. Because computer-level overrides are essentially single computer zones, you can assign administrative tasks to users and groups at the computer level.

To delegate which users and groups have control over the objects in a zone:

  1. Open Access Manager.
  2. Expand Zones to display the list of zones, then expand the zone hierarchy until you see the specific zone you want to modify.
  3. Select the zone, right-click, then click Delegate Zone Control.
  4. Click Add to find the users, groups, or computer accounts to which you want to delegate specific tasks.
  5. Select the type of account—User, Group, or Computer—to search for, type all or part of the account name, then click Find Now.
  6. Select one or more accounts from the list of results, then click OK.
  7. Repeat Step 4 through Step 6 until you are finished adding users and groups to which you want to assign the same administrative tasks, then click Next.
  8. Select the tasks you want to delegate to the user or group, then click Next.

    For example, if you want all of the members of the group you selected in the previous steps to be able perform all administrative tasks for a zone, select All.

  9. If you are delegating the task of joining computers to a zone, you can specify the scope of computers you can join to the zone; you pick a container in Active Directory to grant access to.

    If you leave the scope blank, the scope is the domain root. Be aware that the postalAddress field is used for information about joining computers to a zone; if you lookup the permissions for people you've delegated the task of joining computers to a zone, they'll have permissions to the postalAddress field for the affected computers.

  10. Review your delegation settings, then click Finish to close the wizard.