Granting permissions for administrative tasks

The easiest way to grant permissions to perform administrative tasks is to use the Zone Delegation Wizard. The Zone Delegation Wizard enables you to delegate specific administrative tasks to specific users and groups. For each task you delegate to a specific user or group, you are providing that user or group with a specific set of permissions for working with objects in Active Directory.

The user who creates a zone has full control on the zone’s serviceConnectionPoint. That user has exclusive permission to delegate administrative tasks to other users. The user who creates a zone is also the only user who can add NIS maps to the zone because creating NIS maps requires permission to create containers in Active Directory. The zone creator can, however, grant other users permission to add, remove, or modify NIS map entries.

The following table summarizes the permissions that can be assigned through your selections in the Zone Delegation Wizard. In addition to the permissions listed, however, the basic Read permission is required to perform any action. The Read permission is granted to Authenticated Users by default.

Selecting this task Grants these rights

All

Permissions to perform all of the actions listed in the Zone Delegation Wizard and described below.

This option allows a designated user or group to perform all of the other actions. Only the user who creates a zone can grant this permission to other users and groups for the zone.

Change zone properties
  • List contents on the ZoneName object container.
  • Read all properties on the ZoneName object container.
  • Write name on the ZoneName object container.
  • Write Name on the ZoneName object container.
  • Write Description property on the ZoneName object container.

Add users
  • List contents on the ZoneName/Users object container.
  • Read all properties on the ZoneName/Users object container.
  • Create serviceConnectionPoint objects on the ZoneName/Users object container.

Add groups
  • List contents on the ZoneName/Groups object container.
  • Read all properties on the ZoneName/Groups object container.
  • Create serviceConnectionPoint objects on the ZoneName/Groups object container.

Add local users
  • List contents on the ZoneName/Local Users object container.
  • Read all properties on the ZoneName/Local Users object container.
  • Add local users to the zone.

Add local groups
  • List contents on the ZoneName/Local Groups object container.
  • Read all properties on the ZoneName/Local Groups object container.
  • Add local groups to the zone.

Join computers to the zone
  • List contents on the ZoneName/Computers object container.
  • Read all properties on the ZoneName/Computers object container.
  • Create serviceConnectionPoint objects on the ZoneName/Computers object container.

Note Joining the domain requires additional permissions on the Active Directory computer object, but the join command performs the necessary operations without requiring the additional permissions to be granted to the user or group you are designating as a trustee.

Remove zones
  • List contents on the ZoneName object container.
  • Read all properties on the ZoneName object container.
  • Allow Delete on the ZoneName object container.
  • Allow Delete Subtree on the ZoneName object container.

Remove users
  • List contents on the ZoneName/Users object container.
  • Read all properties on the ZoneName/Users object container.
  • Delete serviceConnectionPoint objects on the ZoneName/Users object container.

Remove groups
  • List contents on the ZoneName/Groups object container.
  • Read all properties on the ZoneName/Groups object container.
  • Delete serviceConnectionPoint objects on the ZoneName/Groups object container.

Remove local users
  • List contents on the ZoneName/Local Users object container.
  • Read all properties on the ZoneName/Local Users object container.
  • Remove local users from the zone.

Remove local groups
  • List contents on the ZoneName/Local Groups object container.
  • Read all properties on the ZoneName/Local Groups object container.
  • Remove local groups from the zone.

Remove computers from the zone
  • List contents on the ZoneName/Computers object container.
  • Read all properties on the ZoneName/Computers object container.
  • Delete serviceConnectionPoint objects on the ZoneName/Computers object container.

Modify user profiles
  • List contents on the ZoneName/Users object container.
  • Read all properties on the ZoneName/Users object container.
  • Write cn on the serviceConnectionPoint object.
  • Write name on the serviceConnectionPoint object.
  • Write Name on the serviceConnectionPoint object.
  • Write keywords on the serviceConnectionPoint object.

For RFC 2307-compliant zones, modifying the user’s UNIX profile also requires the following rights on the serviceConnectionPoint object of the UNIX user object:

  • Write uid.
  • Write uidNumber.
  • Write loginShell.
  • Write gidNumber.
  • Write gecos.
  • Write unixHomeDirectory.

The additional rights for RFC 2307-compliant zones are applied to the posixAccount object associated with the serviceConnectionPoint for the UNIX user object.

Modify group profiles
  • List contents on the ZoneName/Groups object container.
  • Read all properties on the object containers.
  • Write name on the serviceConnectionPoint object.
  • Write Name on the serviceConnectionPoint object.
  • Write keywords on the serviceConnectionPoint object.

For RFC 2307-compliant zones, modifying the group’s UNIX profile also requires the following rights applied to the posixGroup object associated with the serviceConnectionPoint object of the UNIX group object:

  • Write gidNumber.

Modify local user profiles
  • List contents on the ZoneName/Local Users object container.
  • Read all properties on the ZoneName/Local Users object container.
  • Modify local users in the zone.
  • Parameters that can be modified are:
  • User name (the UNIX login name).
  • The user identifier (UID).
  • The user’s primary group profile numeric identifier (GID).
  • The default home directory for the user.
  • The default login shell for the user.
  • General information about the user account (GECOS).
  • State.

Modify local group profiles
  • List contents on the ZoneName/Local Groups object container.
  • Read all properties on the object containers.
  • Modify local groups in the zone.
  • Parameters that can be modified are:
  • Group name.
  • Group members.
  • Group identifier (GID).
  • State.

Modify computer profiles
  • List contents on the ZoneName/Computers container object.
  • Read all properties on the ZoneName/Computers container object.
  • Write description on the ZoneName/Computers container object if the zone is a hierarchical zone.
  • Write keywords on the serviceConnectionPoint object.
  • Write displayName on the serviceConnectionPoint object.
  • Write cn on the serviceConnectionPoint object.
  • Write name on the serviceConnectionPoint object.

Allow computers to respond to NIS client requests
  • List contents on the ZoneName/Computers/zone_nis_servers group object.
  • Read all properties on the ZoneName/Computers/zone_nis_servers group object.
  • Write member property of group object on the ZoneName/Computers/zone_nis_servers group object.

Import users and groups to zone
  • List contents on the ZoneName/Users and ZoneName/Groups container object.
  • Read all properties on the ZoneName/Groups container object.
  • Create serviceConnectionPoint on the ZoneName/Users and ZoneName/Groups container objects.
  • Write cn on the serviceConnectionPoint object.
  • Write name on the serviceConnectionPoint object.
  • Write managedby on the serviceConnectionPoint object.
  • Write displayName on the serviceConnectionPoint object.
  • Write keywords on the serviceConnectionPoint object.

For RFC 2307-compliant zones, importing users also requires the following rights on the serviceConnectionPoint object of the UNIX user object ZoneName/Users:

  • - Write uid.
  • - Write uidNumber.
  • - Write loginShell.
  • - Write gidNumber.
  • - Write unixHomeDirectory.
  • - Write gecos.

For RFC 2307-compliant zones, importing groups also requires the following right on the serviceConnectionPoint object of the UNIX group object under ZoneName/Groups:

  • - Write gidNumber.

Manage roles and rights

List contents on the AzTask container and all child objects.

  • Read all properties on the AzTask container and all child objects.
  • Create msDS-AzTask objects
  • Delete msDS-AzTask objects
  • Write msDS-AzApplicationData on the msDs-AzTask object.
  • Write cn on the msDs-AzTask object.
  • Write name on the msDs-AzTask object.
  • Write description on the msDs-AzTask object.
  • Write msDs-OperationsForAzTask on the msDs-AzTask object.
  • List contents on the AzOperation container and all child objects.
  • Read all properties on the AzOperation container and all child objects.
  • Create msDS-AzOperation objects
  • Delete msDS-AzOperation objects
  • Write msDs-AzApplicationData on the msDs-AzOperation object.
  • Write cn on the msDs-AzOperation object.
  • Write name on the msDs-AzOperation object.
  • Write description on the msDs-AzOperation object.
  • List contents on the msDS-AzAdminManager object.
  • Read all properties on msDS-AzAdminManager object.
  • Write msDs-AzApplicationData on msDS-AzAdminManager object.

Manage role assignments
  • List contents on the msDS-AzAdminManager object and all child objects.
  • Read all properties on the msDS-AzAdminManager object and all child objects.
  • Create msDS-AzRole objects.
  • Delete msDS-AzRole objects.
  • Write msDS-AzApplicationData on the msDS-AzRole object.
  • Write msDS-TasksForAzRole on the msDS-AzRole object.
  • Write msDS-MembersForAzRole on the msDS-AzRole object.
  • Write displayName on the msDS-AzRole object.
  • Write msDS-AzApplicationData on the msDS-AzAdminManager object.

Modify computer roles
  • List contents on the ZoneName object and all child objects.
  • Read all properties on the ZoneName object and all child objects.
  • Write msDS-AzApplicationData
  • Write msDS-AzScopeName
  • Write description

Add or remove NIS map entries
  • List contents on the ZoneName/NISMaps object container.
  • Read all properties on the ZoneName/NISMaps object container.
  • Create classStore Objects on the ZoneName/NISMaps object container.
  • Write name on the ZoneName/NISMaps object container.
  • Write Name on the ZoneName/NISMaps object container.

Modify NIS map entries
  • List contents on the ZoneName/NISMaps object container.
  • Read all properties on the ZoneName/NISMaps object container.
  • Write adminDescription on the classStore object.
  • Write Description on the classStore object.
  • Write wWWHomePage on the classStore object.

Remove NIS maps
  • List contents on the ZoneName/NISMaps object container.
  • Read all properties on the ZoneName/NISMaps object container.
  • Allow Delete on the MapName object.
  • Allow Delete Subtree on the MapName object.

Note:   In some cases, the permissions granted through the Zone Delegation Wizard are a subset of the complete permissions required to perform some tasks. For information about the complete permissions required to perform a specific task, see the section that describes the permissions for performing that task. For example, for information about setting permissions for NIS maps, see Setting permissions for NIS maps.