ADM314: Delegation of Administrative Tasks in Active Directory Paul Reiner Program Manager Active Directory Agenda Introduction Concepts Active Directory management Creating a delegation model Implementing a delegation model Maintaining a delegation model Challenges in Managing an Active Directory Deployment An Active Directory deployment can span geographic and business unit boundaries Participating business units may impose unique autonomy and isolation requirements Managing a large & dynamic AD deployment involves a large number of administrative operations Admin responsibilities may need to be distributed amongst & delegated to regional admin groups Successfully Managing Active Directory Familiarize yourself with Active Directory management concepts Create a delegation model to distribute admin responsibilities amongst various admin groups Implement your delegation model such that: Only delegated admins can perform the assigned tasks Delegated admins can only perform the tasks they are assigned and explicitly delegated Delegated responsibilities can be easily and reliably undelegated Maintain/update your delegation model as required Delegation of Administration Implementation Phases Planning Phase Creating a delegation model Deployment Phase Implementing a delegation model Operations Phase Maintaining your delegation model Agenda Introduction Concepts Active Directory management Creating a delegation model Implementing a delegation model Maintaining a delegation model Delegation of Administration Delegation Ability to distribute administrative tasks amongst administrative personnel & other stakeholders Benefits Enables secure and efficient distribution of administrative responsibilities Enables de-centralized administration Provides ability to independently manage parts of an organization Decreases total cost of ownership Attributes of a good Active Directory delegation model Provides coverage for all aspects of Active Directory management Meets unique autonomy and isolation requirements Efficiently distributes admin responsibilities Securely delegates admin responsibilities Affords easy & reliable undelegation Delegation of Administration in Active Directory Delegation Defined Granting a controlled set of permissions to a less privileged user to delegate an administrative task Administrative tasks involve creation, deletion, modification, or verification of Configuration data stored in Active Directory * Domain & application data stored in Active Directory Delegating an administrative task amounts to authorizing the ability to perform operations on data in Active Directory * * or in the registry and/or file-system on Domain Controllers Active Directory Operations & Access Rights Standard Permissions – Permissions required to perform standard operations Extended Rights – Rights required for special Active Directory operations Right to move FSMOs Validated Writes – Rights for specific operations that require validation prior to modification Add Self to Group User Rights – Rights that specify the various ways in which a user can logon to a system Interactive Logon Logon as Service Privileges – Rights to perform various system-related operations on a computer Backup / Restore How delegation works in Active Directory? 1 Name: Mary SID: S-1-5-23456-94342-34680-1094 Department: Accounting Mary (User) 4 Password: ******************* 2 DACL: 3 John (Help-Desk Operator) Allow Help-Desk Operators User change password 4. Help-desk operator success3. operator has delegated 1. User needs password to be reset 2. Help-desk calls Help-desk abilitychanges to reset passwords fully the user’s password Delegation and Inheritance Domain Root DACL: Allow; Authenticated Users; Read Permissions Allow; Help Desk Operators; User change password (CI) Organizational Unit DACL: Allow; Authenticated Users; Read Permissions Allow; Help Desk Operators; User change password (CI, ID) Joe DACL: Allow; Authenticated Users; Read Permissions Allow; Help Desk Operators; User change password (CI, ID) Mary CI=Container Inherit ID = Inherited ACE DACL: Allow; Authenticated Users; Read Permissions Allow; Help Desk Operators; User change password (CI, ID) Agenda Introduction Concepts Active Directory management Creating a delegation model Implementing a delegation model Maintaining a delegation model Active Directory Management Service management Managing all aspects involved in ensuring secure & reliable delivery of the directory service across the enterprise Data management Managing all aspects of the content stored in and protected by the directory service across the enterprise Active Directory Service Management LDAP Policy Schema Schema Master Partner.com Infrastructure Master Fabrikam.com DNS Infrastructure NY.Fabrikam.com Chicago.Fabrikam.com Sunnyvale.Fabrikam.com Active Directory Service Management Categories Installation management Schema management Operations Master Roles management LDAP Policy management Trust management Replication management Backup and Restore management Directory database file management Domain Controller management Security Policy management DNS management Active Directory Service Management Stakeholders Service Owners Responsible for ensuring reliable & secure delivery of the directory service Create an administration (delegation) model for managing the service aspects of their deployment Delegate service administration to service administrators based on this model Delegate data management to data owners Active Directory Service Management Stakeholders Service Administrators Responsible for day-to-day administrative tasks involved in maintaining & delivering the directory service Includes any group that can Legitimately change directory configuration settings Install and/or remove Domain Controllers (DC) Install and/or modify software on DCs Modify the membership of a service admin group Active Directory Data Management Printer Name Server Name Location … Name Security Identifier (SID) Password Office Location Phone Number Email Address Email alias User Workstation Network Printer Security Identifier (SID) Location Department Machine-Role DNS Host-Name … Help-Desk Group Name Group Members Group Owner Security Identifier (SID) Location Department Machine-Role DNS Host-Name … Server Active Directory Data Management Categories Account management Workstation management Resource management Security group management Application-specific data management Active Directory Data Management Stakeholders Data Owners Delegated data management by service owners Responsible for ensuring reliable & secure management of content stored in the directory Create an administration (delegation) model for managing their data Active Directory Data Management Stakeholders Data Administrators Responsible for day-to-day administrative tasks involved in managing the content stored in the directory or on computers joined to the directory Have no control over the configuration or delivery of the directory service Includes any group that can Control a subset of data stored in domain partitions Manage data stored on member computers joined to the Active Directory Isolation and Autonomy Requirements Autonomy Ability of administrators of an organization to independently (but not exclusively) manage: All or part of service management (service autonomy) All or part of the data management (data autonomy) Isolation Ability of administrators of an organization to independently and exclusively manage service and data Prevent other administrators from: Controlling or interfering with service management (service isolation) Controlling or viewing a subset of data in the directory or on member computers joined to the directory (data isolation) Addressing autonomy and isolation requirements Create a separate forest for: Service isolation Data isolation Create a separate Organizational Unit for: Data-autonomy from non-service owners Details on design considerations Active Directory Deployment Kit (Chap 2) www.microsoft.com/downloads Search on keywords: Active Directory deployment kit Note: True service autonomy is not possible in Active Directory because the forest is the security boundary. Use separate forests for service isolation Delegation of Administration Whitepaper Contents Recommendations on delegating Active Directory administration Administrative role definitions for delegating Active Directory administration Administrative role to administrative task mappings Precise permissions required to delegate all Active Directory administration tasks and customize roles Release Date: August 2003 Release Site: http://www.microsoft.com/ad Agenda Introduction Concepts Active Directory management Creating a delegation model Implementing a delegation model Maintaining a delegation model Creating a delegation model For each category (service & data mgmt.): 1. 2. 3. 4. Define logical roles to distribute admin tasks Ensure that every admin task is covered by a role Define the scope of admin authority for each role Document your role definitions Responsibility Service owners create a delegation model for service mgmt. Service owners delegate data mgmt. to data owners Data owners create a delegation model for data mgmt. Delegating Service Management Motivation: Make service management more tractable Distribute administrative responsibilities Minimize use of Enterprise & Domain Admin accounts Minimize risk of inadvertent damage resulting from a mistake on part of an admin logged on as Enterprise Admin or Domain Admin All service administrators should be highly and equally trusted Active Directory Service Management Roles Service Administrator Managers Forest Configuration Operators Domain Configuration Operators Domain Controller Administrators Schema Administrators Backup Operators Restore Operators Site and Subnet Administrators Replication Administrators Security Policy Administrators DNS Administrators Active Directory Data Management Roles Business Unit Admins Organizational Unit Admins Account Admins Workstation Admins Resource Admins Helpdesk Operators Security Group Admins Application-specific Admins Application-specific service accounts Roles for other stakeholders Implementing & Maintaining Microsoft Recommended Roles Refer to the upcoming whitepaper “Delegation of Administration in Active Directory” for more information Preview of role definitions can be found in Appendix Agenda Introduction Concepts Active Directory management Creating a delegation model Implementing a delegation model Maintaining a delegation model Implementing the delegation model For each role (in each category): 1. Identify the minimum set of permissions required to delegate set of admin tasks mapped to the role 2. Identify the scope of administrative authority 3. Create one security group* to represent every instance of a specific role 4. Enable the role by granting appropriate permissions to the corresponding security group 5. Delegate the role by adding delegated users to the security groups representing the role * In some cases, an existing security group may be used Implementing delegation Two Cardinal Rules 1. Use security groups representing the roles solely for the purpose of delegating the role 2. Delegate permissions only on Organizational Units The ACL Editor Graphical tool – can be used to modify permissions on Active Directory objects Using the ACL Editor Specifying permissions for specific properties Displaying filtered properties – Microsoft KB Article - Q296490 The Delegation Wizard Graphical tool – can be used to delegate administrative tasks Delegation Wizard (contd.) Driven by a customizable inf file: delegwiz.inf Can be customized to create and delegate custom roles Microsoft Knowledge Base Article - Q308404 Delegation Wizard (contd.) Benefits Can be used to delegate custom roles & tasks Limitations Cannot be used to un-delegate a role/task Re-running wizard to delegate an updated role/task on same scope will result in duplicate ACEs The delegwiz.inf file is a local file Recommendations Use the wizard for initial deployment of delegation model by customizing it & using it to delegate roles Use the wizard to delegate an updated role Refer to Maintaining Delegation section for details Delegating data management at Fabrikam.com Single Forest, Multiple Domain Model Redmond Domain Two business units Product Development Business Management Decentralized Account management Decentralized Resource management Centralized Help Desk Central Stakeholder - Human Resources Default OUs & Containers Domain Root BuiltIn Domain Controllers System Lost And Found Foreign Security Principals Program Data Users Computers Delegating Business Units Default OUs & Containers Delegation Product Development Admins Business Management Admins Joe DACL: Allow Business Management Admins write-prop to member attribute Business Units Product Development DACL: Allow Product Development Admins full-control Business Management Joe DACL: Allow Business Management Admins full-control Implementing the Organizational Unit Structure Business Management Accounts Groups Account Groups Resource Groups Resources Workstations Servers Delegating Business-Unit Specific Administrative Roles Account Admins Creation of user accounts Require Create Child (CC) on parent object Deletion of user accounts Require Delete Child (CC) on parent object Modification of all properties Require Write-Property (WP) on object Security Group Admins Creation of security groups Require Create Child (CC) on parent object Deletion of security groups Require Delete Child (CC) on parent object Modification of group memberships Require Write-Property (WP) to the member attribute on object Delegating Business-Unit Specific Administrative Roles Business Management Delegation Account Admins Group Admins Accounts DACL: Allow Account Admins CC;DC;WP Groups DACL: Allow Group Admins CC;DC Allow Group Admins WP; member Delegating Workstation Mgmt Groups Account Groups NY Wkstn Admins Resource Groups Workstation Admins Resources DACL: Allow Workstation Admins WP to member attrib { NY Wkstn. Admins } DACL: Allow Workstation Admins Full-Control on Computer objects Workstations Group Policy Restricted Groups: Workstation Admins= memberOf: Built-in Admins Built-in Admins { Workstation Admins } Built-in Admins { Workstation Admins } Built-in Admins { Workstation Admins } Delegating Resource Mgmt Groups Resource Groups App X Resource Admins DACL: Allow App X Resource Admins WP member App X Users DACL: Allow App X Resource Admins WP member Resources DACL: Allow App X Resource Admins Full-Control App X Server Farm Group Policy Restricted Groups App X Resource Admins: memberOf = Built-in Admins Built-in Admins { App X Resource Admins } Built-in Admins { App X Resource Admins } Built-in Admins { App X Resource Admins } Delegating the Help-Desk Role Centralized Help-Desk Assigned Tasks Unlock a User account Reset a User’s password Permissions Required Unlock a User account WP to the Lockout-Time attribute on user object Reset a User’s password Reset Password extended right on user object Delegating the help-desk role Default OUs & Containers Delegation Product Development owners Business Management owners Help Desk Operators Business Units DACL: Allow HelpDesk Operators Allow HelpDesk Operators write-prop to Lockout-Time on User objects extended-right Reset Password on User objects Product Development Business Management Delegating a stakeholder role Centralized Human Resources department Stakeholder Requirement: Specify a user’s Manager Specify a user’s Title Specify a user’s Department Permissions Required Specify a user’s Manager WP to the manager attribute on user objects Specify a user’s Title WP to the title attribute on user objects Specify a user’s Department WP to the department attribute on user objects Delegating a stakeholder role Default OUs & Containers Delegation Product Development owners Business Management owners Help Desk Operators Human Resources group Business Units DACL: Allow Human Resources group write-prop to manager on User objects Allow Human Resources group write-prop to title on User objects Allow Human Resources group write-prop to department on User objects Product Development Business Management Agenda Introduction Concepts Active Directory management Creating a delegation model Implementing a delegation model Maintaining a delegation model Maintaining your delegation model For each category, you may need to: 1. 2. 3. 4. Modify and re-delegate existing roles Create and delegate customized roles Un-delegate existing roles Meet ad hoc delegation requirements Modifying existing roles and delegating updated roles Addition of a new task to a role Identify permissions required to delegate task Add associated permissions to corresponding template in delwiz.inf file Removal of an existing task from an existing role Identify permissions required to delegate task Revoke associated permissions from corresponding template in delwiz.inf file Temporarily revoke all permissions granted to the security group representing the role Script (preferred) or ACL Editor Use delegation wizard to re-delegate the updated role Un-Delegating Administration Un-delegating a user from a role Remove user from the security group representing the role E.g.: Un-delegate Sara from Account Admins role Remove Sara from the Account Admins security group Un-delegating a role Remove all permissions granted to the security group representing the role E.g.: Un-delegate the Group Admins role Revoke all permissions granted to Group Admins security group Un-delegating Administration Product Development Delegation Account Admins Joe Sara Group Admins Groups DACL: DACL: Allow Group Admins CC;DC Allow Group Admins WP; member Removing Permissions Scenarios: Need to un-delegate a role Need to re-delegate a customized role Can use ACL Editor or a script Using a script to remove permissions Takes as input a group/user Walk through DACLs of all OUs in a specified scope Report existence of permissions for the group/user Remove all permissions for group/user in the DACLs of all OU objects in specified scope New, soon to be released command-line tool TechEd atendees can downlaod tool from Commnet Visit http://www.mymsevents.com/MyMSEvents/Search.aspx Search fpr session ADM 314 – download dsrevoke.zip Meeting Ad-Hoc Delegation Requirements Same approach as used for other roles Create a logical role for ad hoc need Identify all tasks that should map to role Identify corresponding permissions Update delwiz.inf by adding template for role Create a security group to represent role Use Delegation wizard to implement the role Add users to the security group to delegate role Remove users from group when ad hoc need is met Could revoke permissions & delete security group or keep permissions & group for future re-use Conclusion Ability to manage Active Directory directly impacts ability to accomplish business goals Creating and implementing a secure and efficient delegation model is key to successfully managing your Active Directory deployment Attributes of a good delegation model Provides coverage for all Active Directory mgmt aspects Meets unique autonomy & isolation requirements Efficiently distributes and delegates admin responsibilities Delegates admin responsibilities based on least privilege Enables easy & reliable un-delegation of admin authority Suggested Reading And Resources The tools you need to put technology to work! TITLE Available Price Microsoft® Windows® Server 2003 TCP/IP Protocols and Services Technical Reference Kit Today $49.99 Active Directory® for Microsoft® Windows® Server 2003 Technical Reference Today $49.99 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Appendix… Role Definition Previews Challenging Delegations Preview of Role Definitions To be covered in upcoming whitepaper on delegation of administration … Service Management Roles Service Administrator Managers Exclusively manage all service administrator groups across the forest: Creation, deletion & management of service admin groups Modification of service admin group memberships Securing service admin groups, accounts & workstations Service Management Roles Forest Configuration Operators Exclusively manage all security-sensitive admin operations that have forest-wide impact: Creation and demotion of child domains Creation, deletion and management of trusts Creation, deletion and management of cross-references Transfer and seizure of the forest-wide FSMO roles Modification of forest-wide LDAP settings Installation of Enterprise Certificate Authority (CA) in every domain Raising the forest functional level Service Management Roles Domain Configuration Operators Exclusively manage all security-sensitive admin operations that have domain-wide impact: Addition and removal of replica Domain Controllers Transfer and seizure of the domain-wide FSMO roles Granting Replication related extended-rights Protection and management of the default Domain Controllers OU & the System & Builtin containers Service Management Roles Domain Controller Administrators Exclusively manage all security-sensitive and directory service configuration administrative operations on Domain Controllers: Installation and/or modification of software on DCs Installation of service packs and hot-fixes on DCs Configuration of directory service settings in registry Maintenance and backup of event logs Configuration of the Service Control Manager Management of directory service files and SYSVOL Shutting down the Domain Controller Other security-sensitive operations Service Management Roles Schema Administrators Exclusively manage Active Directory Schema Creation of additional classes and attributes Modification of existing schema definitions Disabling / resurrecting existing classes / attributes Specifying that an attribute be replicated to the Global Catalog Service Management Roles Site and Subnet Administrators Exclusively manage creation, association, management and deletion of: Sites Subnets Site-links Site-link bridges Service Management Roles Replication Administrators By design, Active Directory replication requires minimal administrative intervention Exclusively manage all administrative operations involved in managing replication for a given site or a given group of sites Service Management Roles Security Policy Administrators Exclusively manage: Domain Controller Security Policy for all domains Following parts of Domain Security Policy Password policy settings Account Lockout settings Kerberos Policy settings Service Management Roles DNS Administrators Exclusively manage: Installation & configuration of the DNS server service on Domain Controllers Creation & configuration of DNS zones Ensuring coverage of service management categories Category Role Installation management Forest Configuration Operators & Domain Configuration Operators Schema management Schema Admins Operations Master role management Forest Configuration Operators & Domain Configuration Operators LDAP Policy management Forest Configuration Operators Trust management Forest Configuration Operators & Domain Configuration Operators Replication management Site Topology & Replication Admins Backup & Restore management Backup & Restore Admins Directory Database management Domain Controller Admins Domain Controller management Domain Controller Admins Security Policy management Security Policy Admins Data Management Roles Business Unit Admins & OU Admins Business Unit Admins Represent the business-unit data owners Manage the following data administration operations : Creation and deletion of business-unit OU structure Delegation of specific data administration tasks to appropriate data administrators & other stakeholders Organizational Unit Admins Optional Role Business-unit admins may choose to grant full-control of OUs within the business-unit sub-tree to OU admins Can be either delegated specific admin operations or fullcontrol of an OU within the business-unit sub-tree Data Management Roles Security Group Admins & Account Admins Security Group Admins Create, delete and manage non-service admin security groups Account Admins Create, delete & manage user accounts Data Management Roles Account Admins & Workstation Admins Workstation Admins Manage domain member workstations Create, delete and manage computer accounts for workstations Resource Admins Create, delete and manage resources (e.g. server farm, internal web-application etc.) Data Management Roles Help Desk Operators, Application Specific Admins & Service-accounts Help Desk Operators - Provide account support for user and computer accounts Password related administrative operations Account lockout related administrative operations Other operations (depending on support model) Application-specific service admins & service accounts Responsible for creation, modification and deletion of application specific data Challenging Delegations Challenging Delegations Delegating User Account Operations Specify when a user account expires Grant Write-property (WP) to Account-Expires attribute Enable / Disable a User account Grant WP to User-Account-Control* attribute Unlock a User account Grant WP to Lockout-Time attribute Reset a User’s password Grant the Reset Password extended right Force a User to change his password Grant WP to the Pwd-Last-Set attribute Challenging Delegations Delegating ability to move objects Aim – Delegate the ability to only be able to move objects between two OUs Permissions required to delegate operation Delete Child in Source OU & Create Child in Target OU Write property permissions to the attribute that is the RDN attribute for the object class Delegating this operation safely Create an intermediate drop-off and pick-up OU Grant source and target OU Admins required permissions on the source, target & intermediate OUs Challenging Delegations Delegating ability to move objects DACL: Allow Source OU Admin Create Child Allow Target OU Admin Delete Child DACL: Allow Source OU Admin Delete Child Source OU DACL: Allow Target OU Admin Create Child Target OU Challenging Delegations Delegating addition of replica DCs Operational needs may necessitate delegating this operation To delegate operation, grant the following permissions: Extended rights on domain, schema & config partitions Replicating Directory Changes, Replicating Directory Changes All, Manage Replication Topology & Replication Synchronization Additional extended right on domain partition Add/Remove Replica In Domain User Rights: Enable computer and user accounts to be trusted for delegation Permissions required: Inheritable RP on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain> Inheritable CC on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain> Full Control to “Creator Owner” on CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain> NOTE: In all of the above, <Site> represents the site the DC will be belong to CC on OU=Domain Controllers, DC=<domain> to create Computer objects Full Control on the Computer object for the server that is being DCPROMOed User must be member of Administrators group on member server being DCPROMOed NOTE: Microsoft highly recommends that this operation not be delegated, unless absolutely required Other ACL Modification Tools dsacls.exe View or modify ACLs on directory objects acldiag.exe Determine whether a user has been assigned or denied access to a directory object. Reset ACLs to their default state ldp.exe Perform LDAP operations against Active Directory Can be used to view ACLs on objects adsiedit.exe View all objects (and all attributes) in the directory Modify objects and set ACLs on objects NOTE: To Install the Windows 2000 Support Tools, refer to Microsoft Knowledge Base Article - Q301423 Community Resources Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx evaluations © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.