The following table describes the groups that can perform basic DFS Replication tasks by default and the method for delegating the ability to perform these tasks.
To view the delegation list for a replication group in the console tree, select the replication group, and then click the Delegation tab in the details pane.
Task | Users or Groups that Can Perform this Task by Default | Delegation Method |
---|---|---|
Create a replication group or enable DFS Replication on a folder that has folder targets. |
Domain Admins group in the domain where the replication group will be created. |
In the console tree, right-click the Replication node, and then click Delegate Management Permissions. |
Administer a replication group. |
Domain Admins group in the domain where the replication group is configured, or the creator of the replication group. |
In the console tree, right-click the replication group, and then click Delegate Management Permissions. |
Add a server to a replication group. (The server to be added must be online, and the user must be delegated the ability to administer the replication group.) |
If the server is a member server, the user must be a member of the local Administrators group of the server to add. If the server is a domain controller, the user must be a member of the Domain Admins group in the domain where the server is located. |
Add the user to local Administrators group of the member server to add, or add the user to the Domain Admins group of the domain controller to add. |
If you plan to delegate the ability to create and administer replication groups, consider the following:
- If you delegate to a user or group the
ability to create replication groups, and you later remove the user
or group from the delegation list, there is no change to the
security settings on existing replication groups.
- If you delegate to a user or group the
ability to administer a specific replication group, and you later
remove the user or group from the delegation list, there is no
change to the security settings on existing configuration data. For
example, if the user who is being removed had created a connection
in the replication group, then the user would still have
permissions to edit that connection because the user is the owner
of the AD DS object that contains the configuration
information for the connection.
Additional references
- Advanced Delegation of DFS Replication
Permissions
(http://go.microsoft.com/fwlink/?LinkId=140355)
- Deploying DFS
Replication