Recipe 14.6 Customizing the Delegation of Control Wizard

14.6.1 Problem

You want to add or remove new delegation options in the Delegation of Control Wizard.

14.6.2 Solution

Open the Delegation of Control Wizard INF file (%SystemRoot%\Inf\Delegwiz.inf) on the computer you want to modify the wizard for.

Under the [DelegationTemplates] section, you'll see a line like the following:

Templates = template1, template2, template3, template4, template5, template6, 
template7, template8, template9,template10, template11, template12, template13

You need to append a new template name. In this case I'll follow the same naming convention and create a template named template14. The line now looks like this:

Templates = template1, template2, template3, template4, template5, template6, 
template7, template8, template9,template10, template11, template12, template13, 

Scroll to the end of the file and append a new template section. You can use the other template sections as examples. Here is the generic format:

AppliesToClasses = <CommaSeparatedOfObjectClassesInvokedFrom>

Description = "<DescriptionShownInWizard>"

ObjectTypes = <CommaSeparatedListOfObjectClassesThatAreSet>

<Permission entries for Scope>

<Permission entries for ObjectClass1>

<Permission entries for ObjectClass2>

 . . .

<TemplateName> is the same as what we used in the [DelegationTemplates] section, e.g., template14.

In the AppliesToClasses line, replace <CommaSeparatedObjectClassesInvokedFrom> with a comma-separated list of LDAP display names of the classes that can be delegated. This delegation action will show up on the classes listed here only when you select Delegate Control from a snap-in. To make our new template entry apply to domain objects, OUs, and containers, we would use this:

AppliesToClasses = domainDNS,organizationalUnit,container

In the Description line, replace <DescriptionShownInWizard> with the text you want shown in the wizard that describes the permissions being delegated. Here is an example description for delegating full control over inetOrgPerson objects:

Description = "Create, delete, and manage user and inetOrgPerson accounts"

In the ObjectTypes line, replace <CommaSeparatedListOfObjectClassesThatAreSet> with a comma-separated list of object classes that be delegated. In this example, permissions will be modified for user and inetOrgPerson objects:

ObjectTypes = user,inetOrgPerson

Next, define the actual permissions to set when this action is selected. You can define two different types of permissions. You can use a [<TemplateName>.SCOPE] section to define permissions that are set on the object that is used to start the wizard. This will be one of the object classes defined in the AppliesToClass line. This is commonly used in the context of containers and organizational units to specify create, modify, or delete child objects of a particular type. For example, to grant the ability to create (CC) or delete (DC) user and inetOrgPerson objects, you would use the following:


As you can see, each permission (e.g., create child) is abbreviated to a two-letter code. Here are the valid codes:


Read Property


Write Property


Create Child


Delete Child


Full Control

It is perfectly valid to leave out a SCOPE section if it is not needed. The rest of the lines are used to specify permissions that should be set on the object classes defined by the ObjectTypes line.

To grant full control over all existing user and inetOrgPerson objects, I'll use these entries:



This is very similar to the previous example except that SCOPE was replaced with the names of the object classes the permissions apply to. The @ symbol is used to indicate that the permission applies to all attributes on the object. You can get more granular by replacing @ with the name of attribute the permission applies to. For example, this would grant read and write permissions on the department attribute for inetOrgPerson objects:


You can also enable control access rights using the CONTROLRIGHT designator instead of @ or an attribute name. You need to specify the LDAP display name of the control access right you want to enable. This next section enables the Reset Password right on inetOrgPerson objects and enables read and write access to the pwdLastSet attribute:

CONTROLRIGHT="Reset Password"

14.6.3 Discussion

You can completely customize the tasks that can be delegated with the Delegation of Control Wizard, but you still have the problem of getting the delegwiz.inf file on all the clients that need to use the new settings. You can manually copy it to the computers that need it or use group policy to automate the distribution of it.

14.6.4 See Also

Recipe 14.5 for more on using the Delegation of Control wizard

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List