Use the delegate_zone_right command to delegate an administrative right for the currently selected zone to a security principal (user or group). Zone rights allow a user or group to use and manage zone properties, including computer-specific zone properties and computer roles.

Zone type

Classic and hierarchical


delegate_zone_right right principal_upn




This command takes no options.


This command takes the following arguments:

Argument Type Description



Required. Specifies the right to delegate. Possible values:

  • add_computer_role: The right to add computer roles to the zone.
  • add_computer_zone: The right to add computer-specific zones.
  • add_group: The right to add groups to the zone.
  • add_nismap: The right to add NIS maps to the zone.
  • add_remove_nismap_entry: The right to add or remove NIS map entries.
  • add_user: The right to add users to the zone.
  • add_user_group_to_computer_zone: The right to add user and group overrides to the selected computer-specific zone.
  • change_user: The right to modify user profiles in the zone.
  • change_group: The right to modify group profiles in the zone.
  • change_computer: The right to modify computer profiles in the zone.
  • change_zone: The right to change zone properties.
  • delegate_permission_for_computer_zone: The right to delegate permissions to other users for computer-specific zones.

right (continued)

string (continued)

  • delete_computer: The right to remove computers from the zone.
  • delete_computer_role: The right to delete computer roles in the zone.
  • delete_computer_zone: The right to delete computer-specific zones.
  • delete_group: The right to remove groups from the zone.
  • delete_user: The right to remove users from the zone.
  • delete_user_group_from_computer_zone: The right to delete user and group overrides from the selected computer-specific zone.
  • delete_zone: The right to remove the zone.
  • enable_dz: The right to initialize authorization (privilege elevation service) data. This right is only applicable in classic zones.
  • import: The right to import users and groups into the zone.
  • join: The right to join computers to the zone.
  • manage_role_assignments: The right to modify the roles assigned in zones, computer-specific zones, and computer roles.
  • manage_roles_and_rights: The right to modify role definitions and access rights.
  • modify_computer_role: The right to modify computer role entries. This right is not applicable in classic zones.
  • modify_nismap_entry: The right to modify NIS map entries.
  • modify_user_group_in_computer_zone: The right to modify user and group overrides in the selected computer-specific zone.

right (continued)



  • nisservers: The right to allow computers to respond to NIS client requests.
  • remove_nismap: The right to remove NIS maps.



Required. Specifies the user principal name (UPN) of a user or group in Active Directory to delegate the specified right to.

Return value

This command returns no value if it runs successfully.


delegate_zone_right add_user

This example delegates the right to add users to the currently selected zone to the Active Directory user Adam Avery.

Related commands

Before you use this command, you must have a currently selected zone stored in memory. The following commands enable you to view and select a zone to work with:

  • create_zone creates a new zone in Active Directory.
  • get_zones returns a Tcl list of all zones within a specified domain.
  • select_zone retrieves a zone from Active Directory and stores it in memory.

After you have a zone stored in memory, you can use the following commands to work with that zone:

  • delegate_zone_right delegates a zone use right to a specified user or computer.
  • delete_zone deletes the selected zone from Active Directory and memory.
  • get_child_zones returns a Tcl list of child zones, computer roles, or computer zones.
  • get_zone_field reads a field value from the currently selected zone.
  • get_zone_nss_vars returns the NSS substitution variable for the selected zone.
  • save_zone saves the selected zone with its current settings to Active Directory.
  • set_zone_field sets a field value in the currently selected zone.