You want to delegate control over the management of an application partition.
Open ADSI Edit.
Connect to the Configuration naming context of the forest the application partition is in if it is not already present in the left pane.
Expand the Configuration naming context and click on the Partitions container.
In the right pane, right-click on the crossRef object that represents the application partition and select Properties.
Click the Security tab.
Click the Advanced button.
Click the Add button.
Use the object picker to find the user or group you want to delegate control to and click OK.
Click the Properties tab.
Under Allow, check the boxes beside Write msDS-NC-Replica-Locations, Write msDS-SDReferenceDomain, Write msDS-Replication-Notify-First-DSA-Delay, and Write msDS-Replication-Notify-Subsequent-DSA-Delay.
Click OK.
> dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-NC-Replica-Locations > dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-SDReferenceDomain > dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-Replication-Notify-[RETURN] First-DSA-Delay > dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-Replication-Notify-[RETURN] Subsequent-DSA-Delay
' This script delegates control over the four key attributes ' of an app partition to the specified user or group. ' ------ SCRIPT CONFIGURATION ------ ' Fully qualified DNS name of app partition strAppPart = "<AppPartitionFQDN>" ' e.g. apps.rallencorp.com ' User or group to delegate control to strUser = "<UserOrGroup>" ' e.g. joe@rallencorp.com or RALLENCORP\joe ' ------ END CONFIGURATION --------- '############################ ' Constants '############################ ' ADS_ACETYPE_ENUM Const ADS_ACETYPE_ACCESS_ALLOWED = &h0 Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5 ' ADS_FLAGTYPE_ENUM Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1 ' ADS_RIGHTS_ENUM Const ADS_RIGHT_DS_WRITE_PROP = &h20 Const ADS_RIGHT_DS_READ_PROP = &h10 ' schemaIDGUID values Const REPLICA_LOCATIONS = "{97de9615-b537-46bc-ac0f-10720f3909f3}" Const SDREFERENCEDOMAIN = "{4c51e316-f628-43a5-b06b-ffb695fcb4f3}" Const NOTIFY_FIRST_DSA_DELAY = "{85abd4f4-0a89-4e49-bdec-6f35bb2562ba}" Const NOTIFY_SUBSEQUENT_DSA_DELAY = "{d63db385-dd92-4b52-b1d8-0d3ecc0e86b6}" '############################ ' Find App Partition '############################ set objRootDSE = GetObject("LDAP://RootDSE") strBase = "<LDAP://cn=Partitions," & _ objRootDSE.Get("ConfigurationNamingContext") & ">;" strFilter = "(&(objectcategory=crossRef)(dnsRoot=" & _ strAppPart & "));" strAttrs = "cn,distinguishedName;" strScope = "onelevel" set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" Set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope) if objRS.RecordCount <> 1 then WScript.Echo "Did not find a match for " & strAppPart else objRS.MoveLast set objAppPart = GetObject("LDAP://" & _ objRS.Fields("distinguishedName").Value ) end if '############################ ' Create ACL '############################ set objSD = objAppPart.Get("ntSecurityDescriptor") set objDACL = objSD.DiscretionaryAcl ' Read/Write Property: msDS-NC-Replica-Locations set objACE1 = CreateObject("AccessControlEntry") objACE1.Trustee = strUser objACE1.AccessMask = ADS_RIGHT_DS_WRITE_PROP Or ADS_RIGHT_DS_READ_PROP objACE1.AceFlags = 0 objACE1.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE1.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE1.ObjectType = REPLICA_LOCATIONS ' ' Read/Write Property: msDS-SDReferenceDomain set objACE2 = CreateObject("AccessControlEntry") objACE2.Trustee = strUser objACE2.AccessMask = ADS_RIGHT_DS_WRITE_PROP Or ADS_RIGHT_DS_READ_PROP objACE2.AceFlags = 0 objACE2.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE2.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE2.ObjectType = SDREFERENCEDOMAIN ' Read/Write Property: msDS-Replication-Notify-First-DSA-Delay set objACE3 = CreateObject("AccessControlEntry") objACE3.Trustee = strUser objACE3.AccessMask = ADS_RIGHT_DS_WRITE_PROP Or ADS_RIGHT_DS_READ_PROP objACE3.AceFlags = 0 objACE3.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE3.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE3.ObjectType = NOTIFY_FIRST_DSA_DELAY ' Read/Write Property: msDS-Replication-Notify-Subsequent-DSA-Delay set objACE4 = CreateObject("AccessControlEntry") objACE4.Trustee = strUser objACE4.AccessMask = ADS_RIGHT_DS_WRITE_PROP Or ADS_RIGHT_DS_READ_PROP objACE4.AceFlags = 0 objACE4.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE4.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE4.ObjectType = NOTIFY_SUBSEQUENT_DSA_DELAY objDACL.AddAce objACE1 objDACL.AddAce objACE2 objDACL.AddAce objACE3 objDACL.AddAce objACE4 '############################ ' Set ACL '############################ objSD.DiscretionaryAcl = objDACL objAppPart.Put "ntSecurityDescriptor", objSD objAppPart.SetInfo WScript.Echo "Delegated control of " & strAppPart & " to " & strUser
If you want to delegate control of management of application partitions, you must grant control over four key attributes. Here is a description of each attribute and what can be accomplished by having control over it:
By having write access to this attribute, a user can add replica servers for the application partition. See Recipe 17.3 for more information.
By having write access to this attribute, a user can define the default security descriptor domain for the application partition. See Recipe 17.8 for more information.
See Recipe 17.7 for more information.
See Recipe 17.7 for more information.
If you want to delegate control over managing objects within the application partition, you need to follow the same procedures you would when delegating control over objects in a domain naming context. See Recipe 14.5 for more information on delegating control.
Recipe 14.5 for delegating control, Recipe 17.3 for more on adding and removing replica servers, Recipe 17.7 for more on the replication delay attributes, and Recipe 17.8 for more on the default security descriptor domain