The following table describes the groups that can perform basic DFS Replication tasks by default and the method for delegating the ability to perform these tasks.

To view the delegation list for a replication group in the console tree, select the replication group, and then click the Delegation tab in the details pane.

Task Users or Groups that Can Perform this Task by Default Delegation Method

Create a replication group or enable DFS Replication on a folder that has folder targets.

Domain Admins group in the domain where the replication group will be created.

In the console tree, right-click the Replication node, and then click Delegate Management Permissions.

Administer a replication group.

Domain Admins group in the domain where the replication group is configured, or the creator of the replication group.

In the console tree, right-click the replication group, and then click Delegate Management Permissions.

Add a server to a replication group.

(The server to be added must be online, and the user must be delegated the ability to administer the replication group.)

If the server is a member server, the user must be a member of the local Administrators group of the server to add.

If the server is a domain controller, the user must be a member of the Domain Admins group in the domain where the server is located.

Add the user to local Administrators group of the member server to add, or add the user to the Domain Admins group of the domain controller to add.

If you plan to delegate the ability to create and administer replication groups, consider the following:

  • If you delegate to a user or group the ability to create replication groups, and you later remove the user or group from the delegation list, there is no change to the security settings on existing replication groups.

  • If you delegate to a user or group the ability to administer a specific replication group, and you later remove the user or group from the delegation list, there is no change to the security settings on existing configuration data. For example, if the user who is being removed had created a connection in the replication group, then the user would still have permissions to edit that connection because the user is the owner of the AD DS object that contains the configuration information for the connection.

Additional references