Delegate Control Wizard Cannot Be Used to Remove Groups or Users

ID: Q229873

The information in this article applies to:
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Server

SUMMARY

In Windows 2000, users or groups can be granted administrative privileges over containers and the objects within those containers. Although this can be performed by modifying the permissions on the container, Windows 2000 includes the Delegate Control Wizard to automate the task. Note, however, that although the Delegate Control Wizard can be used to grant users and groups administrative privileges over containers and the objects within them, it cannot be used to remove those privileges. Removal must be accomplished manually.


MORE INFORMATION

To delegate control on a container:

  1. Start the Active Directory Users and Computers snap-in.


  2. Right-click a domain or organizational unit, and then click Delegate Control.


  3. Finish the wizard by selecting the users or groups and granting the appropriate permissions. The following permissions are predefined and can be granted singly or in any combination:

    • Create, delete, and manage user accounts


    • Reset password on a user account


    • Read all user information


    • Modify the membership of a group


    • Manage published printer queues


    Or, custom permissions can be used to delegate more specific control.


When you are adding users or groups, you cannot use the Delete button to remove a user or group from the delegated permissions once the wizard has been run. This button can only be used to correct mistakes during the delegation process.

If a user or group must be removed from the delegated permissions:
  1. Start the Active Directory Users and Computers snap-in.


  2. On the View menu, click Advanced. This enables the Security tab.


  3. Right-click the container from which the permissions will be removed, and then click Properties.


  4. Click the Security tab.


  5. Remove the appropriate users or groups.


NOTE: Rather than removing users and groups, these same steps can be used to modify the delegated permissions. By default, all child objects in the container inherit the permissions set on the container.

Additional query words:

Keywords : kbenv
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.