Anpassung der Optionen des Active Directory Delegation Wizards
Mit dem Active Directory Delegation Wizard lassen sich administrative Aufgaben innerhalb des ADs übersichtlich und einfach an einzelne Administratoren(-gruppen) delegieren.
Standardmäßig sind im Delegation Wizard (Windows 2016) 13 Standard-Berechtigungen verfügbar, die man delegieren kann. Diese Liste lässt sich jedoch vielfältig erweitern. Dazu muss die Datei delegwiz.inf
im Ordner %WinDir%\inf
(bis Windows 2003 R2), bzw. %WinDir%\system32
(ab Windows 2008) angepasst werden.
Möchte man eine neue Berechtigung in die Auswahlliste einbinden, ist diese mit folgender Syntax in die delegwiz.inf
Datei einzutragen:
;--------------------------------------------------------- [templateTemplateNumber] AppliesToClasses=Classes Description = Description ObjectTypes = ObjectTypes [templateTemplateNumber.ObjectTypes] PermissionEntries ;---------------------------------------------------------
Dabei gilt:
TemplateNumber ist die fortlaufende Nummer des neuen Task-Templates für die Delegierung. Da die ersten 13 Nummern in der delegwiz.inf bereits belegt sind, ist hier mit Nummer 14 zu beginnen und bei jedem neuen Task-Template hochzuzählen.
Classes sind die Objekt-Klassen im AD, für die das Task-Template angewendet werden kann. Mehrere Klassen sind dabei mit Komma zu trennen. Möchte man z.B. ein Task-Template erstellen, das auf Domain-Level, auf OUs und auf Container angewendet werden kann, lautet der Wert domainDNS,organizationalUnit,container
.
Description ist die Beschreibung des neuen Tasks, wie der im Anschluss auch im Delegation Wizard angezeigt wird.
ObjectTypes sind die AD Objekt-Typen, die mit dem neuen Task-Template angepasst werden.
PermissionEntries repräsentiert die Berechtigung, die mit dem Task-Template auf Objekte/Container vergeben wird.
Microsoft hat hier ein schönes Template mit 70 Tasks, die man in den Delegation Wizard einbinden kann:
[Version] signature="$CHICAGO$" [DelegationTemplates] Templates = template1, template2, template3, template4, template5, template6, template7, template8, template9, template10, template11, template12, template13, template14, template15, template16, template17, template18, template19, template20, template21, template22, template23,template24, template25, template26, template27, template28, template29, template30, template31, template32, template33,template34, template35, template36, template37, template38, template39, template40, template41, template42, template43,template44, template45, template46, template47, template48, template49, template50, template51, template52, template53,template54, template55, template56, template57, template58, template59, template60, template61, template62, template63,template64, template65, template66, template67, template68, template69, template70 ;---------------------------------------------------------- [template1] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create, delete, and manage user accounts" ObjectTypes = SCOPE, user [template1.SCOPE] user=CC,DC [template1.user] @=GA ;---------------------------------------------------------- ;---------------------------------------------------------- [template2] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Reset user passwords and force password change at next logon" ObjectTypes = user [template2.user] CONTROLRIGHT= "Reset Password" pwdLastSet=RP,WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template3] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Read all user information" ObjectTypes = user [template3.user] @=RP ;---------------------------------------------------------- ;---------------------------------------------------------- [template4] AppliesToClasses = organizationalUnit,container Description = "Create, delete and manage groups" ObjectTypes = SCOPE, group [template4.SCOPE] group=CC,DC [template4.group] @=GA ;---------------------------------------------------------- ;---------------------------------------------------------- [template5] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the membership of a group" ObjectTypes = group [template5.group] member=RP,WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template6] AppliesToClasses = domainDNS Description = "Join a computer to the domain" ObjectTypes = SCOPE [template6.SCOPE] computer=CC ;---------------------------------------------------------- ;---------------------------------------------------------- [template7] AppliesToClasses = domainDNS,organizationalUnit,site Description = "Manage Group Policy links" ObjectTypes = SCOPE [template7.SCOPE] gPLink=RP,WP gPOptions=RP,WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template8] AppliesToClasses=domainDNS,organizationalUnit Description = "Generate Resultant Set of Policy (Planning)" ObjectTypes = SCOPE [template8.SCOPE] CONTROLRIGHT= "Generate Resultant Set of Policy (Planning)" ;---------------------------------------------------------- ;---------------------------------------------------------- [template9] AppliesToClasses=domainDNS,organizationalUnit Description = "Generate Resultant Set of Policy (Logging)" ObjectTypes = SCOPE [template9.SCOPE] CONTROLRIGHT= "Generate Resultant Set of Policy (Logging)" ;---------------------------------------------------------- ;---------------------------------------------------------- [template10] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create, delete, and manage inetOrgPerson accounts" ObjectTypes = SCOPE, inetOrgPerson [template10.SCOPE] inetOrgPerson=CC,DC [template10.inetOrgPerson] @=GA ;---------------------------------------------------------- ;---------------------------------------------------------- [template11] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Reset inetOrgPerson passwords and force password change at next logon" ObjectTypes = inetOrgPerson [template11.inetOrgPerson] CONTROLRIGHT= "Reset Password" pwdLastSet=RP,WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template12] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Read all inetOrgPerson information" ObjectTypes = inetOrgPerson [template12.inetOrgPerson] @=RP ;---------------------------------------------------------- ;---------------------------------------------------------- [template13] AppliesToClasses=container Description = "Create, Delete, and Manage WMI Filters" ObjectTypes = SCOPE, msWMI-Som [template13.SCOPE] msWMI-Som=CC,DC [template13.msWMI-Som] @=GA ;---------------------------------------------------------- ;---------------------------------------------------------- [template14] AppliesToClasses=domainDNS,organizationalUnit Description = "Create an Organizational Unit" ObjectTypes = SCOPE [template14.SCOPE] organizationalUnit=CC ;---------------------------------------------------------- ;---------------------------------------------------------- [template15] AppliesToClasses=domainDNS,organizationalUnit Description = "Delete a child Organizational Unit" ObjectTypes = SCOPE [template15.SCOPE] organizationalUnit=DC ;---------------------------------------------------------- ;---------------------------------------------------------- [template16] AppliesToClasses=organizationalUnit Description = "Delete this Organizational Unit" ObjectTypes = organizationalUnit [template16.organizationalUnit] @=SD ;---------------------------------------------------------- ;---------------------------------------------------------- [template17] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Rename an Organizational Unit" ObjectTypes = organizationalUnit [template17.organizationalUnit] ou=WP name=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template18] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify Description of an Organizational Unit" ObjectTypes = organizationalUnit [template18.organizationalUnit] description=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template19] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify Managed-By Information of an Organizational Unit" ObjectTypes = organizationalUnit [template19.organizationalUnit] managedBy=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template20] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delegate Control of an Organizational Unit" ObjectTypes = organizationalUnit [template20.organizationalUnit] @=WD ;---------------------------------------------------------- ;---------------------------------------------------------- [template21] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create a group" ObjectTypes = SCOPE [template21.SCOPE] group=CC ;---------------------------------------------------------- [template22] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete a child group" ObjectTypes = SCOPE [template22.SCOPE] group=DC ;---------------------------------------------------------- ;---------------------------------------------------------- [template23] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete this group" ObjectTypes = group [template23.group] @=SD ;---------------------------------------------------------- ;---------------------------------------------------------- [template24] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Rename a group" ObjectTypes = group [template24.group] cn=WP name=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template25] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify the Pre-Windows 2000 compatible name for the group" ObjectTypes = group [template25.group] sAMAccountName=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template26] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the description of a group" ObjectTypes = group [template26.group] description=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template27] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the scope of the group" ObjectTypes = group [template27.group] groupType=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template28] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the type of the group" ObjectTypes = group [template28.group] groupType=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template29] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify notes for a group" ObjectTypes = group [template29.group] info=WP ;---------------------------------------------------------- [template30] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify group membership" ObjectTypes = group [template30.group] member=WP ;---------------------------------------------------------- [template31] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify Managed-By Information of a Group" ObjectTypes = group [template31.group] managedBy=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template32] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create a computer account" ObjectTypes = SCOPE [template32.SCOPE] computer=CC ;---------------------------------------------------------- ;---------------------------------------------------------- [template33] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete a child computer account" ObjectTypes = SCOPE [template33.SCOPE] computer=DC ;---------------------------------------------------------- [template34] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete this computer account" ObjectTypes = computer [template34.computer] @=SD ;---------------------------------------------------------- ;---------------------------------------------------------- [template35] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Rename a computer account" ObjectTypes = computer [template35.computer] @=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template36] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Disable a computer account" ObjectTypes = computer [template36.computer] userAccountControl=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template37] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Reset a computer account" ObjectTypes = computer [template37.computer] CONTROLRIGHT= "Reset Password" ;---------------------------------------------------------- ;---------------------------------------------------------- [template38] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify the computer's description" ObjectTypes = computer [template38.computer] description=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template39] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify Managed-By information for a computer account" ObjectTypes = computer [template39.computer] managedBy=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template40] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify that a computer account be trusted for delegation" ObjectTypes = computer [template40.computer] userAccountControl=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template41] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create a user account in disabled state" ObjectTypes = SCOPE [template41.SCOPE] user=CC ;---------------------------------------------------------- ;---------------------------------------------------------- [template42] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Create a user account" ObjectTypes = SCOPE , user [template42.SCOPE] user=CC [template42.user] userAccountControl=WP CONTROLRIGHT= "Reset Password" ;---------------------------------------------------------- ;---------------------------------------------------------- [template43] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete a child user account" ObjectTypes = SCOPE [template43.SCOPE] user=DC ;---------------------------------------------------------- [template44] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Delete this user account" ObjectTypes = user [template44.user] @=SD ;---------------------------------------------------------- ;---------------------------------------------------------- [template45] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Rename a user account" ObjectTypes = user [template45.user] cn=WP name=WP distinguishedName=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template46] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Disable a user account" ObjectTypes = user [template46.user] userAccountControl=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template47] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Unlock a user account" ObjectTypes = user [template47.user] lockoutTime=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template48] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Enable a disabled user account" ObjectTypes = user [template48.user] userAccountControl=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template49] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Reset a user account's password" ObjectTypes = user [template49.user] CONTROLRIGHT= "Change Password" ;---------------------------------------------------------- ;---------------------------------------------------------- [template50] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Force a user account to change the password at the next logon" ObjectTypes = user [template50.user] CONTROLRIGHT= "Reset Password" userPassword=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template51] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user's display name" ObjectTypes = user [template51.user] adminDisplayName=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template52] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user account's description" ObjectTypes = user [template52.user] description=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template53] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user's office location" ObjectTypes = user [template53.user] physicalDeliveryOfficeName=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template54] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user's telephone number" ObjectTypes = user [template54.user] telephoneNumber=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template55] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the location of a user's primary web page" ObjectTypes = user [template55.user] wWWHomePage=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template56] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user's UPN" ObjectTypes = user [template56.user] userPrincipalName=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template57] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify a user's Pre-Windows 2000 user logon name" ObjectTypes = user [template57.user] sAMAccountName=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template58] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Modify the hours during which a user can log on" ObjectTypes = user [template58.user] logonHours=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template59] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify the computers from which a user can log on" ObjectTypes = user [template59.user] userWorkstations=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template60] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set User cannot change password for a user account" ObjectTypes = user [template60.user] CONTROLRIGHT= "Change Password" ;---------------------------------------------------------- ;---------------------------------------------------------- [template61] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Password Never Expires for a user account" ObjectTypes = user [template61.user] userAccountControl=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template62] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Store Password Using Reversible Encryption for a user account" ObjectTypes = user [template62.user] userAccountControl=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template63] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Disable a user account" ObjectTypes = user [template63.user] userAccountControl=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template64] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Smart card is required for interactive logon for a user account" ObjectTypes = user [template64.user] userAccountControl=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template65] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Account is sensitive and cannot be delegated for a user account" ObjectTypes = user [template65.user] userAccountControl=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template66] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Use DES encryption types for this account for a user account" ObjectTypes = user [template66.user] userAccountControl=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template67] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Set Do not require Kerberos pre-authentication for a user account" ObjectTypes = user [template67.user] userAccountControl=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template68] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify the date when a user account expires" ObjectTypes = user [template68.user] accountExpires=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template69] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify a profile path for a user" ObjectTypes = user [template69.user] profilePath=WP ;---------------------------------------------------------- ;---------------------------------------------------------- [template70] AppliesToClasses=domainDNS,organizationalUnit,container Description = "Specify a logon script for a user" ObjectTypes = user [template70.user] scriptPath=WP ;----------------------------------------------------------
Quellen:
https://docs.microsoft.com/
https://social.technet.microsoft.com/