Hack 20 Delegate Control of an OU to a User

figs/expert.gif figs/hack20.gif

Rather than use the Delegation of Control Wizard, use this script to delegate authority over an organizational unit (OU) to a particular user.

By delegating administrative responsibilities, you can eliminate the need for multiple administrative accounts that have broad authority (such as over an entire domain). Although you likely will still use the predefined Domain Admins group for administration of the entire domain, you can limit the accounts that are members of the Domain Admins group to highly trusted administrative users.

Administrative control can be granted to a user or group by using the Delegation of Control wizard. The Delegation of Control wizard allows you to select the user or group to which you want to delegate control, the organizational units and objects you want to grant those users the right to control, and the permissions to access and modify objects.

The Code

While using the wizard to do this is straightforward, there is a quick and easy way to achieve the same effect through VBScript. Just open a text editor such as Notepad (making sure that Word Wrap is disabled), type the following script, and save it with a .vbs extension as DelegateOU.vbs:

Set ou = GetObject("LDAP://OU=Test,OU=Users,OU=Services,OU=Network,DC=MY,DC=Domain,


Set sec = ou.Get("ntSecurityDescriptor")

Set acl = sec.DiscretionaryAcl

Set ace = CreateObject("AccessControlEntry") 



ace.ObjectType = "{BF967ABA-0DE6-11D0-A285-00AA003049E2}" 

'User's GUID (schemaIDGuid)



ace.Trustee = "MY\Jsmith" 'User to delegate to

acl.AddAce ace

sec.DiscretionaryAcl = acl

ou.Put "ntSecurityDescriptor", Array(sec)


Set ace = Nothing

Set acl = Nothing

Set sec = Nothing

When you run this script, the result is to delegate to the user the ability to create and delete users in the MY.DOMAIN.COM/NETWORK/SERVICES/USERS/TEST organizational unit.

The first line you need to customize to make this work in your own environment is this one:

Set ou = GetObject("LDAP://OU=Test,OU=Users,OU=Services,OU=Network," & _


You must insert the distinguished name (DN) of the OU to which you want to delegate this right in the LDAP URL section of the command line. For example, if you want the delegated user to be able to add and delete users in the OU called UR.DOMAINHERE.COM/HR/USERS, the line would need to look like this:

Set ou = GetObject("LDAP:// OU=Users,OU=HR,DC=Ur,DC=Domainhere,DC=com")

Here is another line you need to modify for your environment:

ace.Trustee = "MY\Jsmith" User to delegate to

In the section in double quotes ("MY\Jsmith"), you must insert the username for the user to whom you want to delegate the right to add and delete users. For example, if the user that you want to be able to ADD and DELETE users is called Janedoe, the line would look like this:

ace.Trustee = "UR\Janedoe" 'Who is the beneficiary of this ace

Make sure you have the latest scripting engines on the workstation you run this script from; you can download current scripting engines from the Microsoft Scripting home page (http://msdn.microsoft.com/library/default.asp?url=/nhp/Default.asp?contentid=28001169). When working with the Active Directory Services Interface (ADSI), you must have the same applicable rights you need to use the built-in administrative tools.

Running the Hack

To run the script, simply create a shortcut to the script and double-click on the shortcut. The script itself does the rest.

?Hans Schefske