ADM314: Delegation of Administrative Rights in Active

ADM314:
Delegation of Administrative Tasks
in Active Directory
Paul Reiner
Program Manager
Active Directory
Agenda
Introduction
Concepts
Active Directory management
Creating a delegation model
Implementing a delegation model
Maintaining a delegation model
Challenges in Managing an
Active Directory Deployment
An Active Directory deployment can span geographic
and business unit boundaries
Participating business units may impose unique
autonomy and isolation requirements
Managing a large & dynamic AD deployment involves a
large number of administrative operations
Admin responsibilities may need to be distributed
amongst & delegated to regional admin groups
Successfully Managing
Active Directory
Familiarize yourself with Active Directory
management concepts
Create a delegation model to distribute admin
responsibilities amongst various admin groups
Implement your delegation model such that:
Only delegated admins can perform the assigned tasks
Delegated admins can only perform the tasks they are assigned
and explicitly delegated
Delegated responsibilities can be easily and reliably undelegated
Maintain/update your delegation model as
required
Delegation of Administration
Implementation Phases
Planning Phase
Creating a delegation model
Deployment Phase
Implementing a delegation model
Operations Phase
Maintaining your delegation model
Agenda
Introduction
Concepts
Active Directory management
Creating a delegation model
Implementing a delegation model
Maintaining a delegation model
Delegation of Administration
Delegation
Ability to distribute administrative tasks amongst
administrative personnel & other stakeholders
Benefits
Enables secure and efficient distribution of
administrative responsibilities
Enables de-centralized administration
Provides ability to independently manage parts of an
organization
Decreases total cost of ownership
Attributes of a good Active
Directory delegation model
Provides coverage for all aspects of Active
Directory management
Meets unique autonomy and isolation
requirements
Efficiently distributes admin responsibilities
Securely delegates admin responsibilities
Affords easy & reliable undelegation
Delegation of Administration in
Active Directory
Delegation Defined
Granting a controlled set of permissions to a less
privileged user to delegate an administrative task
Administrative tasks involve creation, deletion,
modification, or verification of
Configuration data stored in Active Directory *
Domain & application data stored in Active Directory
Delegating an administrative task amounts to authorizing
the ability to perform operations on data in Active
Directory *
* or in the registry and/or file-system on Domain Controllers
Active Directory Operations &
Access Rights
Standard Permissions – Permissions required to perform standard
operations
Extended Rights – Rights required for special Active Directory operations
Right to move FSMOs
Validated Writes – Rights for specific operations that require validation prior
to modification
Add Self to Group
User Rights – Rights that specify the various ways in which a user can logon
to a system
Interactive Logon
Logon as Service
Privileges – Rights to perform various system-related operations on a
computer
Backup / Restore
How delegation works in
Active Directory?
1
Name: Mary
SID: S-1-5-23456-94342-34680-1094
Department: Accounting
Mary (User)
4
Password: *******************
2
DACL:
3
John (Help-Desk Operator)
Allow Help-Desk Operators User change password
4.
Help-desk
operator
success3.
operator
has delegated
1.
User needs
password
to be reset
2. Help-desk
calls
Help-desk
abilitychanges
to reset passwords
fully
the user’s password
Delegation and Inheritance
Domain Root
DACL:
Allow; Authenticated Users; Read Permissions
Allow; Help Desk Operators; User change password (CI)
Organizational Unit
DACL:
Allow; Authenticated Users; Read Permissions
Allow; Help Desk Operators; User change password (CI, ID)
Joe
DACL:
Allow; Authenticated Users; Read Permissions
Allow; Help Desk Operators; User change password (CI, ID)
Mary
CI=Container Inherit
ID = Inherited ACE
DACL:
Allow; Authenticated Users; Read Permissions
Allow; Help Desk Operators; User change password (CI, ID)
Agenda
Introduction
Concepts
Active Directory management
Creating a delegation model
Implementing a delegation model
Maintaining a delegation model
Active Directory Management
Service management
Managing all aspects involved in ensuring secure
& reliable delivery of the directory service across
the enterprise
Data management
Managing all aspects of the content stored in and
protected by the directory service across the
enterprise
Active Directory
Service Management
LDAP Policy
Schema
Schema
Master
Partner.com
Infrastructure Master
Fabrikam.com
DNS Infrastructure
NY.Fabrikam.com
Chicago.Fabrikam.com
Sunnyvale.Fabrikam.com
Active Directory Service
Management Categories
Installation management
Schema management
Operations Master Roles management
LDAP Policy management
Trust management
Replication management
Backup and Restore management
Directory database file management
Domain Controller management
Security Policy management
DNS management
Active Directory Service
Management Stakeholders
Service Owners
Responsible for ensuring reliable & secure
delivery of the directory service
Create an administration (delegation) model
for managing the service aspects of their
deployment
Delegate service administration to service
administrators based on this model
Delegate data management to data owners
Active Directory Service
Management Stakeholders
Service Administrators
Responsible for day-to-day administrative tasks
involved in maintaining & delivering the directory
service
Includes any group that can
Legitimately change directory configuration settings
Install and/or remove Domain Controllers (DC)
Install and/or modify software on DCs
Modify the membership of a service admin group
Active Directory Data
Management
Printer Name
Server Name
Location
…
Name
Security Identifier (SID)
Password
Office Location
Phone Number
Email Address
Email alias
User
Workstation
Network Printer
Security Identifier (SID)
Location
Department
Machine-Role
DNS Host-Name
…
Help-Desk
Group Name
Group Members
Group Owner
Security Identifier (SID)
Location
Department
Machine-Role
DNS Host-Name
…
Server
Active Directory Data
Management Categories
Account management
Workstation management
Resource management
Security group management
Application-specific data management
Active Directory Data
Management Stakeholders
Data Owners
Delegated data management by service owners
Responsible for ensuring reliable & secure
management of content stored in the directory
Create an administration (delegation) model for
managing their data
Active Directory Data
Management Stakeholders
Data Administrators
Responsible for day-to-day administrative tasks
involved in managing the content stored in the
directory or on computers joined to the directory
Have no control over the configuration or delivery of
the directory service
Includes any group that can
Control a subset of data stored in domain partitions
Manage data stored on member computers joined to
the Active Directory
Isolation and Autonomy
Requirements
Autonomy
Ability of administrators of an organization to independently (but
not exclusively) manage:
All or part of service management (service autonomy)
All or part of the data management (data autonomy)
Isolation
Ability of administrators of an organization to independently and
exclusively manage service and data
Prevent other administrators from:
Controlling or interfering with service management (service
isolation)
Controlling or viewing a subset of data in the directory or on
member computers joined to the directory (data isolation)
Addressing autonomy and
isolation requirements
Create a separate forest for:
Service isolation
Data isolation
Create a separate Organizational Unit for:
Data-autonomy from non-service owners
Details on design considerations
Active Directory Deployment Kit (Chap 2)
www.microsoft.com/downloads
Search on keywords: Active Directory deployment kit
Note: True service autonomy is not possible in Active Directory because the
forest is the security boundary. Use separate forests for service isolation
Delegation of Administration
Whitepaper
Contents
Recommendations on delegating Active Directory
administration
Administrative role definitions for delegating Active
Directory administration
Administrative role to administrative task mappings
Precise permissions required to delegate all Active
Directory administration tasks and customize roles
Release Date: August 2003
Release Site: http://www.microsoft.com/ad
Agenda
Introduction
Concepts
Active Directory management
Creating a delegation model
Implementing a delegation model
Maintaining a delegation model
Creating a delegation model
For each category (service & data mgmt.):
1.
2.
3.
4.
Define logical roles to distribute admin tasks
Ensure that every admin task is covered by a role
Define the scope of admin authority for each role
Document your role definitions
Responsibility
Service owners create a delegation model for service
mgmt.
Service owners delegate data mgmt. to data owners
Data owners create a delegation model for data mgmt.
Delegating Service Management
Motivation:
Make service management more tractable
Distribute administrative responsibilities
Minimize use of Enterprise & Domain Admin accounts
Minimize risk of inadvertent damage resulting from a
mistake on part of an admin logged on as Enterprise
Admin or Domain Admin
All service administrators should be highly and
equally trusted
Active Directory Service
Management Roles
Service Administrator Managers
Forest Configuration Operators
Domain Configuration Operators
Domain Controller Administrators
Schema Administrators
Backup Operators
Restore Operators
Site and Subnet Administrators
Replication Administrators
Security Policy Administrators
DNS Administrators
Active Directory Data
Management Roles
Business Unit Admins
Organizational Unit Admins
Account Admins
Workstation Admins
Resource Admins
Helpdesk Operators
Security Group Admins
Application-specific Admins
Application-specific service accounts
Roles for other stakeholders
Implementing & Maintaining
Microsoft Recommended Roles
Refer to the upcoming whitepaper “Delegation of
Administration in Active Directory” for more
information
Preview of role definitions can be found in
Appendix
Agenda
Introduction
Concepts
Active Directory management
Creating a delegation model
Implementing a delegation model
Maintaining a delegation model
Implementing the delegation
model
For each role (in each category):
1.
Identify the minimum set of permissions required to
delegate set of admin tasks mapped to the role
2.
Identify the scope of administrative authority
3.
Create one security group* to represent every instance
of a specific role
4.
Enable the role by granting appropriate permissions to
the corresponding security group
5.
Delegate the role by adding delegated users to the
security groups representing the role
* In some cases, an existing security group may be used
Implementing delegation
Two Cardinal Rules
1.
Use security groups representing the roles solely
for the purpose of delegating the role
2.
Delegate permissions only on Organizational Units
The ACL Editor
Graphical tool – can be used to modify permissions
on Active Directory objects
Using the ACL Editor
Specifying permissions for specific properties

Displaying filtered properties – Microsoft KB Article - Q296490
The Delegation Wizard
Graphical tool – can be used to delegate
administrative tasks
Delegation Wizard (contd.)
Driven by a customizable inf file: delegwiz.inf
Can be customized to create and delegate custom roles
Microsoft Knowledge Base Article - Q308404
Delegation Wizard (contd.)
Benefits
Can be used to delegate custom roles & tasks
Limitations
Cannot be used to un-delegate a role/task
Re-running wizard to delegate an updated role/task on
same scope will result in duplicate ACEs
The delegwiz.inf file is a local file
Recommendations
Use the wizard for initial deployment of delegation
model by customizing it & using it to delegate roles
Use the wizard to delegate an updated role
Refer to Maintaining Delegation section for details
Delegating data management at
Fabrikam.com
Single Forest, Multiple Domain Model
Redmond Domain
Two business units
Product Development
Business Management
Decentralized Account management
Decentralized Resource management
Centralized Help Desk
Central Stakeholder - Human Resources
Default OUs & Containers
Domain Root
BuiltIn
Domain Controllers
System
Lost And Found
Foreign Security Principals
Program Data
Users
Computers
Delegating Business Units
Default OUs & Containers
Delegation
Product Development Admins
Business Management Admins
Joe
DACL:
Allow Business Management Admins write-prop
to member attribute
Business Units
Product Development
DACL:
Allow Product Development Admins full-control
Business Management
Joe
DACL:
Allow Business Management Admins full-control
Implementing the
Organizational Unit Structure
Business Management
Accounts
Groups
Account Groups
Resource Groups
Resources
Workstations
Servers
Delegating Business-Unit
Specific Administrative Roles
Account Admins
Creation of user accounts
Require Create Child (CC) on parent object
Deletion of user accounts
Require Delete Child (CC) on parent object
Modification of all properties
Require Write-Property (WP) on object
Security Group Admins
Creation of security groups
Require Create Child (CC) on parent object
Deletion of security groups
Require Delete Child (CC) on parent object
Modification of group memberships
Require Write-Property (WP) to the member attribute on object
Delegating Business-Unit
Specific Administrative Roles
Business Management
Delegation
Account Admins
Group Admins
Accounts
DACL:
Allow Account Admins CC;DC;WP
Groups
DACL:
Allow Group Admins CC;DC
Allow Group Admins WP; member
Delegating Workstation Mgmt
Groups
Account Groups
NY Wkstn Admins
Resource Groups
Workstation Admins
Resources
DACL:
Allow Workstation Admins
WP to member attrib
{ NY Wkstn. Admins }
DACL:
Allow Workstation Admins Full-Control on Computer objects
Workstations
Group Policy
Restricted Groups:
Workstation Admins=
memberOf: Built-in Admins
Built-in Admins { Workstation Admins }
Built-in Admins { Workstation Admins }
Built-in Admins { Workstation Admins }
Delegating Resource Mgmt
Groups
Resource Groups
App X Resource Admins
DACL: Allow App X Resource Admins WP member
App X Users
DACL: Allow App X Resource Admins WP member
Resources
DACL: Allow App X Resource Admins Full-Control
App X Server Farm
Group Policy
Restricted Groups 
App X Resource Admins:
memberOf = Built-in Admins
Built-in Admins { App X Resource Admins }
Built-in Admins { App X Resource Admins }
Built-in Admins { App X Resource Admins }
Delegating the Help-Desk Role
Centralized Help-Desk
Assigned Tasks
Unlock a User account
Reset a User’s password
Permissions Required
Unlock a User account
WP to the Lockout-Time attribute on user object
Reset a User’s password
Reset Password extended right on user object
Delegating the help-desk role
Default OUs & Containers
Delegation
Product Development owners
Business Management owners
Help Desk Operators
Business Units
DACL:
Allow HelpDesk Operators
Allow HelpDesk Operators
write-prop to Lockout-Time on User objects
extended-right Reset Password on User objects
Product Development
Business Management
Delegating a stakeholder role
Centralized Human Resources department
Stakeholder Requirement:
Specify a user’s Manager
Specify a user’s Title
Specify a user’s Department
Permissions Required
Specify a user’s Manager
WP to the manager attribute on user objects
Specify a user’s Title
WP to the title attribute on user objects
Specify a user’s Department
WP to the department attribute on user objects
Delegating a stakeholder role
Default OUs & Containers
Delegation
Product Development owners
Business Management owners
Help Desk Operators
Human Resources group
Business Units
DACL:
Allow Human Resources group write-prop to manager on User objects
Allow Human Resources group write-prop to title on User objects
Allow Human Resources group write-prop to department on User objects
Product Development
Business Management
Agenda
Introduction
Concepts
Active Directory management
Creating a delegation model
Implementing a delegation model
Maintaining a delegation model
Maintaining your delegation
model
For each category, you may need to:
1.
2.
3.
4.
Modify and re-delegate existing roles
Create and delegate customized roles
Un-delegate existing roles
Meet ad hoc delegation requirements
Modifying existing roles and
delegating updated roles
Addition of a new task to a role
Identify permissions required to delegate task
Add associated permissions to corresponding template in
delwiz.inf file
Removal of an existing task from an existing role
Identify permissions required to delegate task
Revoke associated permissions from corresponding template in
delwiz.inf file
Temporarily revoke all permissions granted to the security
group representing the role
Script (preferred) or ACL Editor
Use delegation wizard to re-delegate the updated role
Un-Delegating Administration
Un-delegating a user from a role
Remove user from the security group representing the
role
E.g.: Un-delegate Sara from Account Admins role
Remove Sara from the Account Admins security group
Un-delegating a role
Remove all permissions granted to the security group
representing the role
E.g.: Un-delegate the Group Admins role
Revoke all permissions granted to Group Admins security
group
Un-delegating Administration
Product Development
Delegation
Account Admins
Joe
Sara
Group Admins
Groups
DACL:
DACL:
Allow Group Admins CC;DC
Allow Group Admins WP; member
Removing Permissions
Scenarios:
Need to un-delegate a role
Need to re-delegate a customized role
Can use ACL Editor or a script
Using a script to remove permissions
Takes as input a group/user
Walk through DACLs of all OUs in a specified scope
Report existence of permissions for the group/user
Remove all permissions for group/user in the DACLs of all
OU objects in specified scope
New, soon to be released command-line tool
TechEd atendees can downlaod tool from Commnet
Visit http://www.mymsevents.com/MyMSEvents/Search.aspx
Search fpr session ADM 314 – download dsrevoke.zip
Meeting Ad-Hoc Delegation
Requirements
Same approach as used for other roles
Create a logical role for ad hoc need
Identify all tasks that should map to role
Identify corresponding permissions
Update delwiz.inf by adding template for role
Create a security group to represent role
Use Delegation wizard to implement the role
Add users to the security group to delegate role
Remove users from group when ad hoc need is met
Could revoke permissions & delete security group or
keep permissions & group for future re-use
Conclusion
Ability to manage Active Directory directly impacts ability to
accomplish business goals
Creating and implementing a secure and efficient delegation
model is key to successfully managing your Active Directory
deployment
Attributes of a good delegation model
Provides coverage for all Active Directory mgmt aspects
Meets unique autonomy & isolation requirements
Efficiently distributes and delegates admin responsibilities
Delegates admin responsibilities based on least privilege
Enables easy & reliable un-delegation of admin authority
Suggested Reading And Resources
The tools you need to put technology to work!
TITLE
Available
Price
Microsoft® Windows® Server 2003
TCP/IP Protocols and Services
Technical Reference Kit
Today
$49.99
Active Directory® for
Microsoft® Windows® Server 2003
Technical Reference
Today
$49.99
© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Appendix…

Role Definition Previews

Challenging Delegations
Preview of Role Definitions
To be covered in upcoming whitepaper
on delegation of administration …
Service Management Roles
Service Administrator Managers
Exclusively manage all service administrator groups
across the forest:
Creation, deletion & management of service admin
groups
Modification of service admin group memberships
Securing service admin groups, accounts &
workstations
Service Management Roles
Forest Configuration Operators
Exclusively manage all security-sensitive admin
operations that have forest-wide impact:
Creation and demotion of child domains
Creation, deletion and management of trusts
Creation, deletion and management of cross-references
Transfer and seizure of the forest-wide FSMO roles
Modification of forest-wide LDAP settings
Installation of Enterprise Certificate Authority (CA) in every
domain
Raising the forest functional level
Service Management Roles
Domain Configuration Operators
Exclusively manage all security-sensitive admin
operations that have domain-wide impact:
Addition and removal of replica Domain Controllers
Transfer and seizure of the domain-wide FSMO roles
Granting Replication related extended-rights
Protection and management of the default Domain
Controllers OU & the System & Builtin containers
Service Management Roles
Domain Controller Administrators
Exclusively manage all security-sensitive and
directory service configuration administrative
operations on Domain Controllers:
Installation and/or modification of software on DCs
Installation of service packs and hot-fixes on DCs
Configuration of directory service settings in registry
Maintenance and backup of event logs
Configuration of the Service Control Manager
Management of directory service files and SYSVOL
Shutting down the Domain Controller
Other security-sensitive operations
Service Management Roles
Schema Administrators
Exclusively manage Active Directory Schema
Creation of additional classes and attributes
Modification of existing schema definitions
Disabling / resurrecting existing classes / attributes
Specifying that an attribute be replicated to the Global
Catalog
Service Management Roles Site
and Subnet Administrators
Exclusively manage creation, association,
management and deletion of:
Sites
Subnets
Site-links
Site-link bridges
Service Management Roles
Replication Administrators
By design, Active Directory replication requires
minimal administrative intervention
Exclusively manage all administrative operations
involved in managing replication for a given site or a
given group of sites
Service Management Roles
Security Policy Administrators
Exclusively manage:
Domain Controller Security Policy for all domains
Following parts of Domain Security Policy
Password policy settings
Account Lockout settings
Kerberos Policy settings
Service Management Roles
DNS Administrators
Exclusively manage:
Installation & configuration of the DNS server
service on Domain Controllers
Creation & configuration of DNS zones
Ensuring coverage of service
management categories
Category
Role
Installation management
Forest Configuration Operators &
Domain Configuration Operators
Schema management
Schema Admins
Operations Master role management
Forest Configuration Operators &
Domain Configuration Operators
LDAP Policy management
Forest Configuration Operators
Trust management
Forest Configuration Operators &
Domain Configuration Operators
Replication management
Site Topology & Replication Admins
Backup & Restore management
Backup & Restore Admins
Directory Database management
Domain Controller Admins
Domain Controller management
Domain Controller Admins
Security Policy management
Security Policy Admins
Data Management Roles
Business Unit Admins & OU Admins
Business Unit Admins
Represent the business-unit data owners
Manage the following data administration operations :
Creation and deletion of business-unit OU structure
Delegation of specific data administration tasks to
appropriate data administrators & other stakeholders
Organizational Unit Admins
Optional Role
Business-unit admins may choose to grant full-control of
OUs within the business-unit sub-tree to OU admins
Can be either delegated specific admin operations or fullcontrol of an OU within the business-unit sub-tree
Data Management Roles Security
Group Admins & Account Admins
Security Group Admins
Create, delete and manage non-service admin
security groups
Account Admins
Create, delete & manage user accounts
Data Management Roles Account
Admins & Workstation Admins
Workstation Admins
Manage domain member workstations
Create, delete and manage computer accounts
for workstations
Resource Admins
Create, delete and manage resources (e.g.
server farm, internal web-application etc.)
Data Management Roles Help
Desk Operators, Application Specific
Admins & Service-accounts
Help Desk Operators - Provide account support
for user and computer accounts
Password related administrative operations
Account lockout related administrative operations
Other operations (depending on support model)
Application-specific service admins & service
accounts
Responsible for creation, modification and deletion of
application specific data
Challenging Delegations
Challenging Delegations
Delegating User Account Operations
Specify when a user account expires
Grant Write-property (WP) to Account-Expires attribute
Enable / Disable a User account
Grant WP to User-Account-Control* attribute
Unlock a User account
Grant WP to Lockout-Time attribute
Reset a User’s password
Grant the Reset Password extended right
Force a User to change his password
Grant WP to the Pwd-Last-Set attribute
Challenging Delegations
Delegating ability to move objects
Aim – Delegate the ability to only be able to move
objects between two OUs
Permissions required to delegate operation
Delete Child in Source OU & Create Child in Target OU
Write property permissions to the attribute that is the RDN
attribute for the object class
Delegating this operation safely
Create an intermediate drop-off and pick-up OU
Grant source and target OU Admins required permissions
on the source, target & intermediate OUs
Challenging Delegations
Delegating ability to move objects
DACL:
Allow Source OU Admin Create Child
Allow Target OU Admin Delete Child
DACL:
Allow Source OU Admin Delete Child
Source
OU
DACL:
Allow Target OU Admin Create Child
Target
OU
Challenging Delegations
Delegating addition of replica DCs
Operational needs may necessitate delegating this operation
To delegate operation, grant the following permissions:
Extended rights on domain, schema & config partitions
Replicating Directory Changes, Replicating Directory Changes All, Manage Replication Topology &
Replication Synchronization
Additional extended right on domain partition
Add/Remove Replica In Domain
User Rights:
Enable computer and user accounts to be trusted for delegation
Permissions required:
Inheritable RP on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>
Inheritable CC on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>
Full Control to “Creator Owner” on CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>
NOTE: In all of the above, <Site> represents the site the DC will be belong to
CC on OU=Domain Controllers, DC=<domain> to create Computer objects
Full Control on the Computer object for the server that is being DCPROMOed
User must be member of Administrators group on member server being DCPROMOed
NOTE: Microsoft highly recommends that this operation not be delegated, unless absolutely required
Other ACL Modification Tools
dsacls.exe
View or modify ACLs on directory objects
acldiag.exe
Determine whether a user has been assigned or denied access to
a directory object.
Reset ACLs to their default state
ldp.exe
Perform LDAP operations against Active Directory
Can be used to view ACLs on objects
adsiedit.exe
View all objects (and all attributes) in the directory
Modify objects and set ACLs on objects
NOTE: To Install the Windows 2000 Support Tools, refer to Microsoft Knowledge Base
Article - Q301423
Community Resources
Community Resources
http://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)
http://www.mvp.support.microsoft.com/
Newsgroups
Converse online with Microsoft Newsgroups, including Worldwide
http://www.microsoft.com/communities/newsgroups/default.mspx
User Groups
Meet and learn with your peers
http://www.microsoft.com/communities/usergroups/default.mspx
evaluations
© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.