Granting permissions for administrative tasks
The easiest way to grant permissions to perform administrative tasks is to use the Zone Delegation Wizard. The Zone Delegation Wizard enables you to delegate specific administrative tasks to specific users and groups. For each task you delegate to a specific user or group, you are providing that user or group with a specific set of permissions for working with objects in Active Directory.
The user who creates a zone has full control on the zone’s serviceConnectionPoint. That user has exclusive permission to delegate administrative tasks to other users. The user who creates a zone is also the only user who can add NIS maps to the zone because creating NIS maps requires permission to create containers in Active Directory. The zone creator can, however, grant other users permission to add, remove, or modify NIS map entries.
The following table summarizes the permissions that can be assigned through your selections in the Zone Delegation Wizard. In addition to the permissions listed, however, the basic Read permission is required to perform any action. The Read permission is granted to Authenticated Users by default.
Selecting this task | Grants these rights |
All |
Permissions to perform all of the actions listed in the Zone Delegation Wizard and described below. This option allows a designated user or group to perform all of the other actions. Only the user who creates a zone can grant this permission to other users and groups for the zone. |
Change zone properties |
|
Add users |
|
Add groups |
|
Add local users |
|
Add local groups |
|
Join computers to the zone |
Note Joining the domain requires additional permissions on the Active Directory computer object, but the join command performs the necessary operations without requiring the additional permissions to be granted to the user or group you are designating as a trustee. |
Remove zones |
|
Remove users |
|
Remove groups |
|
Remove local users |
|
Remove local groups |
|
Remove computers from the zone |
|
Modify user profiles |
For RFC 2307-compliant zones, modifying the user’s UNIX profile also requires the following rights on the serviceConnectionPoint object of the UNIX user object:
The additional rights for RFC 2307-compliant zones are applied to the posixAccount object associated with the serviceConnectionPoint for the UNIX user object. |
Modify group profiles |
For RFC 2307-compliant zones, modifying the group’s UNIX profile also requires the following rights applied to the posixGroup object associated with the serviceConnectionPoint object of the UNIX group object:
|
Modify local user profiles |
|
Modify local group profiles |
|
Modify computer profiles |
|
Allow computers to respond to NIS client requests |
|
Import users and groups to zone |
For RFC 2307-compliant zones, importing users also requires the following rights on the serviceConnectionPoint object of the UNIX user object ZoneName/Users:
For RFC 2307-compliant zones, importing groups also requires the following right on the serviceConnectionPoint object of the UNIX group object under ZoneName/Groups:
|
Manage roles and rights |
List contents on the AzTask container and all child objects.
|
Manage role assignments |
|
Modify computer roles |
|
Add or remove NIS map entries |
|
Modify NIS map entries |
|
Remove NIS maps |
|
Note: In some cases, the permissions granted through the Zone Delegation Wizard are a subset of the complete permissions required to perform some tasks. For information about the complete permissions required to perform a specific task, see the section that describes the permissions for performing that task. For example, for information about setting permissions for NIS maps, see Setting permissions for NIS maps.