adm314: delegation of administrative tasks in active directory paul reiner program manager active...
TRANSCRIPT
ADM314:Delegation of Administrative Tasks
in Active Directory
Paul Reiner
Program Manager
Active Directory
Agenda
Introduction
Concepts
Active Directory management
Creating a delegation model
Implementing a delegation model
Maintaining a delegation model
Challenges in Managing an Active Directory DeploymentAn Active Directory deployment can span geographic and business unit boundaries
Participating business units may impose unique autonomy and isolation requirements
Managing a large & dynamic AD deployment involves a large number of administrative operations
Admin responsibilities may need to be distributed amongst & delegated to regional admin groups
Successfully ManagingActive Directory
Familiarize yourself with Active Directory management concepts
Create a delegation model to distribute admin responsibilities amongst various admin groups
Implement your delegation model such that:Only delegated admins can perform the assigned tasks
Delegated admins can only perform the tasks they are assigned and explicitly delegated
Delegated responsibilities can be easily and reliably undelegated
Maintain/update your delegation model as required
Delegation of Administration Implementation Phases
Planning Phase
Creating a delegation model
Deployment Phase
Implementing a delegation model
Operations Phase
Maintaining your delegation model
Agenda
Introduction
Concepts
Active Directory management
Creating a delegation model
Implementing a delegation model
Maintaining a delegation model
Delegation of Administration
Delegation Ability to distribute administrative tasks amongst administrative personnel & other stakeholders
BenefitsEnables secure and efficient distribution of administrative responsibilities
Enables de-centralized administration
Provides ability to independently manage parts of an organization
Decreases total cost of ownership
Attributes of a good Active Directory delegation model
Provides coverage for all aspects of Active Directory management
Meets unique autonomy and isolation requirements
Efficiently distributes admin responsibilities
Securely delegates admin responsibilities
Affords easy & reliable undelegation
Delegation of Administration in Active Directory
Delegation DefinedGranting a controlled set of permissions to a less privileged user to delegate an administrative task
Administrative tasks involve creation, deletion, modification, or verification of
Configuration data stored in Active Directory *
Domain & application data stored in Active Directory
Delegating an administrative task amounts to authorizing the ability to perform operations on data in Active Directory *
* or in the registry and/or file-system on Domain Controllers
Active Directory Operations & Access Rights
Standard Permissions – Permissions required to perform standard operations
Extended Rights – Rights required for special Active Directory operationsRight to move FSMOs
Validated Writes – Rights for specific operations that require validation prior to modification
Add Self to Group
User Rights – Rights that specify the various ways in which a user can logon to a system
Interactive LogonLogon as Service
Privileges – Rights to perform various system-related operations on a computer
Backup / Restore
How delegation works in Active Directory?
Name: Name: MaryMary
Mary (User)Mary (User)
John (Help-Desk Operator)John (Help-Desk Operator)
Allow Allow Help-Desk Operators Help-Desk Operators User change passwordUser change password
SID: SID: S-1-5-23456-94342-34680-1094S-1-5-23456-94342-34680-1094
Department: Department: AccountingAccounting
Password: Password: **************************************
DACL:DACL:
1. User needs password to be reset1. User needs password to be reset
11
2. User calls Help-desk2. User calls Help-desk
22
3. Help-desk operator has delegated 3. Help-desk operator has delegated
ability to reset passwordsability to reset passwords
33
4. Help-desk operator success-4. Help-desk operator success-fully changes the user’s password fully changes the user’s password
44
Delegation and Inheritance
Organizational UnitOrganizational Unit
Domain RootDomain RootDACL:DACL:
Allow; Authenticated Users; Read PermissionsAllow; Authenticated Users; Read Permissions
JoeJoe
MaryMary
DACL:DACL:Allow; Authenticated Users; Read PermissionsAllow; Authenticated Users; Read Permissions
DACL:DACL:Allow; Authenticated Users; Read PermissionsAllow; Authenticated Users; Read Permissions
DACL:DACL:Allow; Authenticated Users; Read PermissionsAllow; Authenticated Users; Read Permissions
Allow; Help Desk Operators; User change password (CI)Allow; Help Desk Operators; User change password (CI)
Allow; Help Desk Operators; User change password (CI, Allow; Help Desk Operators; User change password (CI, IDID))
Allow; Help Desk Operators; User change password (CI, Allow; Help Desk Operators; User change password (CI, IDID))
Allow; Help Desk Operators; User change password (CI, Allow; Help Desk Operators; User change password (CI, IDID))
CI=Container Inherit
ID = Inherited ACE
Agenda
Introduction
Concepts
Active Directory management
Creating a delegation model
Implementing a delegation model
Maintaining a delegation model
Active Directory Management
Service managementManaging all aspects involved in ensuring secure & reliable delivery of the directory service across the enterprise
Data managementManaging all aspects of the content stored in and protected by the directory service across the enterprise
Active Directory Service Management
Fabrikam.comFabrikam.com
Sunnyvale.Fabrikam.comSunnyvale.Fabrikam.com
Chicago.Fabrikam.comChicago.Fabrikam.comNY.Fabrikam.comNY.Fabrikam.com
SchemaSchemaLDAP PolicyLDAP Policy
Partner.comPartner.comInfrastructure MasterInfrastructure Master
Schema MasterSchema Master
DNS InfrastructureDNS Infrastructure
Active Directory Service Management Categories
Installation managementSchema managementOperations Master Roles managementLDAP Policy managementTrust management Replication managementBackup and Restore managementDirectory database file managementDomain Controller managementSecurity Policy managementDNS management
Active Directory Service Management Stakeholders
Service OwnersResponsible for ensuring reliable & secure delivery of the directory service
Create an administration (delegation) model for managing the service aspects of their deployment
Delegate service administration to service administrators based on this model
Delegate data management to data owners
Active Directory Service Management Stakeholders
Service Administrators Responsible for day-to-day administrative tasks involved in maintaining & delivering the directory service
Includes any group that canLegitimately change directory configuration settings
Install and/or remove Domain Controllers (DC)
Install and/or modify software on DCs
Modify the membership of a service admin group
Active Directory Data Management
NameNameSecurity Identifier (SID)Security Identifier (SID)PasswordPasswordOffice LocationOffice LocationPhone NumberPhone NumberEmail AddressEmail AddressEmail aliasEmail alias
Printer NamePrinter NameServer NameServer NameLocationLocation……
UserUserWorkstationWorkstation
Network PrinterNetwork Printer ServerServer
Security Identifier (SID)Security Identifier (SID)LocationLocationDepartmentDepartmentMachine-RoleMachine-RoleDNS Host-NameDNS Host-Name……
Security Identifier (SID)Security Identifier (SID)LocationLocationDepartmentDepartmentMachine-RoleMachine-RoleDNS Host-NameDNS Host-Name……
Help-DeskHelp-Desk
Group NameGroup NameGroup MembersGroup MembersGroup OwnerGroup Owner
Active Directory Data Management Categories
Account management
Workstation management
Resource management
Security group management
Application-specific data management
Active Directory Data Management Stakeholders
Data OwnersDelegated data management by service owners
Responsible for ensuring reliable & secure management of content stored in the directory
Create an administration (delegation) model for managing their data
Active Directory Data Management Stakeholders
Data AdministratorsResponsible for day-to-day administrative tasks involved in managing the content stored in the directory or on computers joined to the directory
Have no control over the configuration or delivery of the directory service
Includes any group that canControl a subset of data stored in domain partitionsManage data stored on member computers joined to the Active Directory
Isolation and Autonomy Requirements
Autonomy Ability of administrators of an organization to independently (but not exclusively) manage:
All or part of service management (service autonomy)
All or part of the data management (data autonomy)
Isolation Ability of administrators of an organization to independently and exclusively manage service and data
Prevent other administrators from: Controlling or interfering with service management (service isolation)
Controlling or viewing a subset of data in the directory or on member computers joined to the directory (data isolation)
Addressing autonomy and isolation requirements
Create a separate forest for:
Service isolation
Data isolation
Create a separate Organizational Unit for:
Data-autonomy from non-service owners
Details on design considerationsActive Directory Deployment Kit (Chap 2)
www.microsoft.com/downloadsSearch on keywords: Active Directory deployment kit
Note: True service autonomy is not possible in Active Directory because the forest is the security boundary. Use separate forests for service isolation
Delegation of Administration Whitepaper
Contents Recommendations on delegating Active Directory administration
Administrative role definitions for delegating Active Directory administration
Administrative role to administrative task mappings
Precise permissions required to delegate all Active Directory administration tasks and customize roles
Release Date: August 2003
Release Site: http://www.microsoft.com/ad
Agenda
Introduction
Concepts
Active Directory management
Creating a delegation model
Implementing a delegation model
Maintaining a delegation model
Creating a delegation model
For each category (service & data mgmt.):1. Define logical roles to distribute admin tasks
2. Ensure that every admin task is covered by a role
3. Define the scope of admin authority for each role
4. Document your role definitions
Responsibility Service owners create a delegation model for service mgmt.
Service owners delegate data mgmt. to data owners
Data owners create a delegation model for data mgmt.
Delegating Service Management
Motivation:Make service management more tractable
Distribute administrative responsibilities
Minimize use of Enterprise & Domain Admin accounts
Minimize risk of inadvertent damage resulting from a mistake on part of an admin logged on as Enterprise Admin or Domain Admin
All service administrators should be highly and equally trusted
Active Directory Service Management Roles
Service Administrator ManagersForest Configuration Operators Domain Configuration Operators Domain Controller Administrators Schema Administrators Backup Operators Restore Operators Site and Subnet AdministratorsReplication AdministratorsSecurity Policy Administrators DNS Administrators
Active Directory Data Management Roles
Business Unit Admins
Organizational Unit Admins
Account Admins
Workstation Admins
Resource Admins
Helpdesk Operators
Security Group Admins
Application-specific Admins
Application-specific service accounts
Roles for other stakeholders
Implementing & Maintaining Microsoft Recommended Roles
Refer to the upcoming whitepaper “Delegation of Administration in Active Directory” for more information
Preview of role definitions can be found in Appendix
Agenda
Introduction
Concepts
Active Directory management
Creating a delegation model
Implementing a delegation model
Maintaining a delegation model
Implementing the delegation model
For each role (in each category):1. Identify the minimum set of permissions required to
delegate set of admin tasks mapped to the role
2. Identify the scope of administrative authority
3. Create one security group* to represent every instance of a specific role
4. Enable the role by granting appropriate permissions to the corresponding security group
5. Delegate the role by adding delegated users to the security groups representing the role* In some cases, an existing security group may be used
Implementing delegationTwo Cardinal Rules
1. Use security groups representing the roles solely for the purpose of delegating the role
2. Delegate permissions only on Organizational Units
The ACL Editor
Graphical tool – can be used to modify permissions on Active Directory objects
Using the ACL EditorSpecifying permissions for specific properties
Displaying filtered properties – Displaying filtered properties – Microsoft KB Article - Q296490Microsoft KB Article - Q296490
The Delegation Wizard
Graphical tool – can be used to delegate administrative tasks
Delegation Wizard (contd.)
Driven by a customizable inf file: delegwiz.infCan be customized to create and delegate custom roles
Microsoft Knowledge Base Article - Q308404
Delegation Wizard (contd.)
BenefitsCan be used to delegate custom roles & tasks
LimitationsCannot be used to un-delegate a role/taskRe-running wizard to delegate an updated role/task on same scope will result in duplicate ACEsThe delegwiz.inf file is a local file
RecommendationsUse the wizard for initial deployment of delegation model by customizing it & using it to delegate roles
Use the wizard to delegate an updated role Refer to Maintaining Delegation section for details
Delegating data management at Fabrikam.com
Single Forest, Multiple Domain ModelRedmond Domain
Two business units Product DevelopmentBusiness Management
Decentralized Account managementDecentralized Resource managementCentralized Help DeskCentral Stakeholder - Human Resources
BuiltInBuiltIn
Domain ControllersDomain Controllers
SystemSystem
UsersUsers
ComputersComputers
Lost And FoundLost And Found
Foreign Security PrincipalsForeign Security Principals
Program DataProgram Data
Domain RootDomain Root
Default OUs & ContainersDefault OUs & Containers
Default OUs & ContainersDefault OUs & Containers
Delegating Business UnitsDelegating Business Units
Business UnitsBusiness Units
Product DevelopmentProduct Development
Business ManagementBusiness Management
DelegationDelegationProduct Development AdminsProduct Development Admins
Business Management Admins Business Management Admins
DACL:DACL:
Allow Allow Product Development Admins Product Development Admins full-controlfull-control
DACL:DACL:
Allow Allow Business Management Admins Business Management Admins full-controlfull-control
DACL:DACL:Allow Allow Business Management Admins Business Management Admins write-write-prop to member attributeprop to member attribute
JoeJoe
JoeJoe
Implementing the Implementing the Organizational Unit StructureOrganizational Unit Structure
Business ManagementBusiness Management
AccountsAccounts
ResourcesResources
GroupsGroups
Account GroupsAccount Groups
Resource GroupsResource Groups
WorkstationsWorkstations
ServersServers
Delegating Business-Unit Specific Administrative RolesAccount Admins
Creation of user accountsRequire Create Child (CC) on parent object
Deletion of user accountsRequire Delete Child (CC) on parent object
Modification of all propertiesRequire Write-Property (WP) on object
Security Group AdminsCreation of security groups
Require Create Child (CC) on parent objectDeletion of security groups
Require Delete Child (CC) on parent objectModification of group memberships
Require Write-Property (WP) to the member attribute on object
Delegating Business-Unit Delegating Business-Unit Specific Administrative RolesSpecific Administrative Roles
Business ManagementBusiness Management
DelegationDelegation
AccountsAccounts
GroupsGroups
Account AdminsAccount Admins
Group AdminsGroup Admins
DACL:DACL:
Allow Allow Account Admins Account Admins CC;DC;WPCC;DC;WP
DACL:DACL:Allow Allow Group Admins Group Admins CC;DCCC;DCAllow Allow Group Admins Group Admins WP; WP; membermember
Delegating Workstation MgmtDelegating Workstation Mgmt
ResourcesResources
WorkstationsWorkstations
GroupsGroups
Account GroupsAccount Groups
Resource GroupsResource Groups
NY Wkstn AdminsNY Wkstn Admins
Workstation AdminsWorkstation Admins
DACL:DACL:
Allow Allow Workstation Admins Workstation Admins Full-Control on Computer objectsFull-Control on Computer objects
Group Policy Group Policy
Restricted Groups:Restricted Groups:Workstation Admins= Workstation Admins= memberOf: Built-in AdminsmemberOf: Built-in Admins
Built-in Admins Built-in Admins {{ Workstation Admins Workstation Admins }}
Built-in Admins Built-in Admins {{ Workstation Admins Workstation Admins }}
Built-in Admins Built-in Admins {{ Workstation Admins Workstation Admins }}
DACL:DACL:Allow Allow Workstation Admins Workstation Admins WP to member attribWP to member attrib
{{ NY Wkstn. Admins NY Wkstn. Admins }}
Delegating Resource MgmtDelegating Resource Mgmt
ResourcesResources
App X Server FarmApp X Server Farm
GroupsGroups
Resource GroupsResource Groups
App X Resource AdminsApp X Resource Admins
Group Policy Group Policy
Restricted Groups Restricted Groups App X Resource Admins: App X Resource Admins: memberOf = Built-in AdminsmemberOf = Built-in Admins
Built-in Admins Built-in Admins {{ App X Resource Admins App X Resource Admins }}
Built-in Admins Built-in Admins {{ App X Resource Admins App X Resource Admins }}
Built-in Admins Built-in Admins {{ App X Resource Admins App X Resource Admins }}
App X UsersApp X Users
DACL:DACL: Allow Allow App X Resource Admins App X Resource Admins Full-ControlFull-Control
DACL:DACL: Allow Allow App X Resource Admins App X Resource Admins WP memberWP member
DACL:DACL: Allow Allow App X Resource Admins App X Resource Admins WP memberWP member
Delegating the Help-Desk Role
Centralized Help-Desk
Assigned TasksUnlock a User account
Reset a User’s password
Permissions Required Unlock a User account
WP to the Lockout-Time attribute on user object
Reset a User’s passwordReset Password extended right on user object
Default OUs & ContainersDefault OUs & Containers
Delegating the help-desk roleDelegating the help-desk role
DelegationDelegation
Business UnitsBusiness Units
Help Desk OperatorsHelp Desk Operators
Product Development ownersProduct Development owners
Business Management ownersBusiness Management owners
DACL:DACL:
Allow Allow HelpDesk Operators HelpDesk Operators write-prop write-prop to to Lockout-Time Lockout-Time on on User User objectsobjectsAllow Allow HelpDesk Operators HelpDesk Operators extended-right Reset Password extended-right Reset Password on on User User objectsobjects
Product DevelopmentProduct Development
Business ManagementBusiness Management
Delegating a stakeholder role
Centralized Human Resources department
Stakeholder Requirement:Specify a user’s ManagerSpecify a user’s TitleSpecify a user’s Department
Permissions Required Specify a user’s Manager
WP to the manager attribute on user objects
Specify a user’s TitleWP to the title attribute on user objects
Specify a user’s DepartmentWP to the department attribute on user objects
Default OUs & ContainersDefault OUs & Containers
Delegating a stakeholder roleDelegating a stakeholder role
DelegationDelegation
Business UnitsBusiness UnitsDACL:DACL:
Allow Allow Human Resources group Human Resources group write-prop write-prop to to manager manager on on User User objectsobjectsAllow Allow Human Resources group Human Resources group write-prop to write-prop to title title on User objectson User objectsAllow Allow Human Resources group Human Resources group write-prop to write-prop to department department on User objectson User objects
Help Desk OperatorsHelp Desk Operators
Product Development ownersProduct Development owners
Business Management ownersBusiness Management owners
Product DevelopmentProduct Development
Business ManagementBusiness Management
Human Resources groupHuman Resources group
Agenda
Introduction
Concepts
Active Directory management
Creating a delegation model
Implementing a delegation model
Maintaining a delegation model
Maintaining your delegation model
For each category, you may need to:
1. Modify and re-delegate existing roles
2. Create and delegate customized roles
3. Un-delegate existing roles
4. Meet ad hoc delegation requirements
Modifying existing roles and delegating updated roles
Addition of a new task to a roleIdentify permissions required to delegate task
Add associated permissions to corresponding template in delwiz.inf file
Removal of an existing task from an existing roleIdentify permissions required to delegate task
Revoke associated permissions from corresponding template in delwiz.inf file
Temporarily revoke all permissions granted to the security group representing the role
Script (preferred) or ACL Editor
Use delegation wizard to re-delegate the updated role
Un-Delegating Administration
Un-delegating a user from a roleRemove user from the security group representing the role
E.g.: Un-delegate Sara from Account Admins roleRemove Sara from the Account Admins security group
Un-delegating a roleRemove all permissions granted to the security group representing the role
E.g.: Un-delegate the Group Admins roleRevoke all permissions granted to Group Admins security group
DACL:DACL:Allow Allow Group Admins Group Admins CC;DCCC;DCAllow Allow Group Admins Group Admins WP; WP; membermember
DACL:DACL:
Un-delegating AdministrationUn-delegating Administration
Product DevelopmentProduct Development
DelegationDelegation
GroupsGroups
Account AdminsAccount Admins
Group AdminsGroup Admins
JoeJoe
SaraSara
Removing PermissionsScenarios:
Need to un-delegate a roleNeed to re-delegate a customized role
Can use ACL Editor or a script
Using a script to remove permissions Takes as input a group/userWalk through DACLs of all OUs in a specified scopeReport existence of permissions for the group/userRemove all permissions for group/user in the DACLs of all OU objects in specified scope
New, soon to be released command-line toolTechEd atendees can downlaod tool from Commnet
Visit http://www.mymsevents.com/MyMSEvents/Search.aspxSearch fpr session ADM 314 – download dsrevoke.zip
Meeting Ad-Hoc Delegation Requirements
Same approach as used for other rolesCreate a logical role for ad hoc need
Identify all tasks that should map to role
Identify corresponding permissions
Update delwiz.inf by adding template for role
Create a security group to represent role
Use Delegation wizard to implement the role
Add users to the security group to delegate role
Remove users from group when ad hoc need is met
Could revoke permissions & delete security group or keep permissions & group for future re-use
Conclusion
Ability to manage Active Directory directly impacts ability to accomplish business goals
Creating and implementing a secure and efficient delegation model is key to successfully managing your Active Directory deployment
Attributes of a good delegation modelProvides coverage for all Active Directory mgmt aspects
Meets unique autonomy & isolation requirements
Efficiently distributes and delegates admin responsibilities
Delegates admin responsibilities based on least privilege
Enables easy & reliable un-delegation of admin authority
Suggested Reading And Resources
The tools you need to put technology to work!The tools you need to put technology to work!
TITLETITLE AvailableAvailable PricePrice
TodayToday $49.99$49.99MicrosoftMicrosoft®® Windows Windows®® Server 2003 Server 2003 TCP/IP Protocols and Services TCP/IP Protocols and Services Technical Reference KitTechnical Reference Kit
Active DirectoryActive Directory®® for for MicrosoftMicrosoft®® Windows Windows®® Server 2003 Server 2003 Technical ReferenceTechnical Reference
TodayToday $49.99$49.99
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Appendix…Appendix…
Role Definition Previews
Challenging Delegations
Preview of Role Definitions
To be covered in upcoming whitepaper on delegation of administration …
Service Management Roles Service Administrator Managers
Exclusively manage all service administrator groups across the forest:
Creation, deletion & management of service admin groups
Modification of service admin group memberships
Securing service admin groups, accounts & workstations
Service Management Roles Forest Configuration Operators
Exclusively manage all security-sensitive admin operations that have forest-wide impact:
Creation and demotion of child domains
Creation, deletion and management of trusts
Creation, deletion and management of cross-references
Transfer and seizure of the forest-wide FSMO roles
Modification of forest-wide LDAP settings
Installation of Enterprise Certificate Authority (CA) in every domain
Raising the forest functional level
Service Management Roles Domain Configuration Operators
Exclusively manage all security-sensitive admin operations that have domain-wide impact:
Addition and removal of replica Domain Controllers
Transfer and seizure of the domain-wide FSMO roles
Granting Replication related extended-rights
Protection and management of the default Domain Controllers OU & the System & Builtin containers
Service Management Roles Domain Controller Administrators
Exclusively manage all security-sensitive and directory service configuration administrative operations on Domain Controllers:
Installation and/or modification of software on DCs
Installation of service packs and hot-fixes on DCs
Configuration of directory service settings in registry
Maintenance and backup of event logs
Configuration of the Service Control Manager
Management of directory service files and SYSVOL
Shutting down the Domain Controller
Other security-sensitive operations
Service Management Roles Schema Administrators
Exclusively manage Active Directory SchemaCreation of additional classes and attributes
Modification of existing schema definitions
Disabling / resurrecting existing classes / attributes
Specifying that an attribute be replicated to the Global Catalog
Service Management Roles Site and Subnet Administrators
Exclusively manage creation, association, management and deletion of:
Sites
Subnets
Site-links
Site-link bridges
Service Management Roles Replication Administrators
By design, Active Directory replication requires minimal administrative intervention
Exclusively manage all administrative operations involved in managing replication for a given site or a given group of sites
Service Management Roles Security Policy Administrators
Exclusively manage:Domain Controller Security Policy for all domains
Following parts of Domain Security PolicyPassword policy settings
Account Lockout settings
Kerberos Policy settings
Service Management Roles DNS Administrators
Exclusively manage: Installation & configuration of the DNS server service on Domain Controllers
Creation & configuration of DNS zones
Ensuring coverage of service management categoriesCategory Role
Installation management Forest Configuration Operators & Domain Configuration Operators
Schema management Schema Admins
Operations Master role management Forest Configuration Operators & Domain Configuration Operators
LDAP Policy management Forest Configuration Operators
Trust management Forest Configuration Operators & Domain Configuration Operators
Replication management Site Topology & Replication Admins
Backup & Restore management Backup & Restore Admins
Directory Database management Domain Controller Admins
Domain Controller management Domain Controller Admins
Security Policy management Security Policy Admins
DNS management DNS Admins
Data Management Roles Business Unit Admins & OU Admins
Business Unit AdminsRepresent the business-unit data ownersManage the following data administration operations :
Creation and deletion of business-unit OU structure Delegation of specific data administration tasks to appropriate data administrators & other stakeholders
Organizational Unit AdminsOptional RoleBusiness-unit admins may choose to grant full-control of OUs within the business-unit sub-tree to OU adminsCan be either delegated specific admin operations or full-control of an OU within the business-unit sub-tree
Data Management Roles Security Group Admins & Account Admins
Security Group AdminsCreate, delete and manage non-service admin security groups
Account AdminsCreate, delete & manage user accounts
Data Management Roles Account Admins & Workstation Admins
Workstation AdminsManage domain member workstations
Create, delete and manage computer accounts for workstations
Resource AdminsCreate, delete and manage resources (e.g. server farm, internal web-application etc.)
Data Management Roles Help Desk Operators, Application Specific
Admins & Service-accounts
Help Desk Operators - Provide account support for user and computer accounts
Password related administrative operations
Account lockout related administrative operations
Other operations (depending on support model)
Application-specific service admins & service accounts
Responsible for creation, modification and deletion of application specific data
Challenging Delegations
Challenging Delegations Delegating User Account Operations
Specify when a user account expiresGrant Write-property (WP) to Account-Expires attribute
Enable / Disable a User accountGrant WP to User-Account-Control* attribute
Unlock a User accountGrant WP to Lockout-Time attribute
Reset a User’s passwordGrant the Reset Password extended right
Force a User to change his passwordGrant WP to the Pwd-Last-Set attribute
* Granting WP to user-account-control attribute grants ability to perform some other admin tasks as well.
Challenging Delegations Delegating ability to move objects
Aim – Delegate the ability to only be able to move objects between two OUs
Permissions required to delegate operationDelete Child in Source OU & Create Child in Target OU
Write property permissions to the attribute that is the RDN attribute for the object class
Delegating this operation safelyCreate an intermediate drop-off and pick-up OU
Grant source and target OU Admins required permissions on the source, target & intermediate OUs
Challenging Delegations Delegating ability to move objects
Source Source OU OU
Target Target OUOU
DACL:DACL:Allow Allow Source OU Admin Source OU Admin Create ChildCreate ChildAllow Allow Target OU Admin Target OU Admin Delete ChildDelete Child
DACL:DACL:Allow Allow Source OU Admin Source OU Admin Delete ChildDelete Child DACL:DACL:
Allow Allow Target OU Admin Target OU Admin Create ChildCreate Child
Challenging Delegations Delegating addition of replica DCs
Operational needs may necessitate delegating this operation
To delegate operation, grant the following permissions:
Extended rights on domain, schema & config partitionsReplicating Directory Changes, Replicating Directory Changes All, Manage Replication Topology & Replication Synchronization
Additional extended right on domain partitionAdd/Remove Replica In Domain
User Rights:Enable computer and user accounts to be trusted for delegation
Permissions required:Inheritable RP on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>
Inheritable CC on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>
Full Control to “Creator Owner” on CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>
NOTE: In all of the above, <Site> represents the site the DC will be belong to
CC on OU=Domain Controllers, DC=<domain> to create Computer objects
Full Control on the Computer object for the server that is being DCPROMOed
User must be member of Administrators group on member server being DCPROMOed
NOTE: Microsoft highly recommends that this operation not be delegated, unless absolutely required
Other ACL Modification Tools
dsacls.exe View or modify ACLs on directory objects
acldiag.exeDetermine whether a user has been assigned or denied access to a directory object.
Reset ACLs to their default state
ldp.exePerform LDAP operations against Active Directory
Can be used to view ACLs on objects
adsiedit.exe View all objects (and all attributes) in the directory
Modify objects and set ACLs on objects
NOTE: To Install the Windows 2000 Support Tools, refer to Microsoft Knowledge Base Article - Q301423
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.