Delegating the Administration of Windows Server 2008 Active Directory Domain Services

  • 3/5/2008
This chapter from Windows Server 2008 Active Directory Resource Kit describes administrative delegation, starting with a discussion of the various types of tasks that might be delegated within an enterprise. Then it describes object access, the types of permissions that can be assigned to objects residing within the directory, and how to use these permissions for delegation of administration. Finally, the chapter provides information about auditing changes to objects residing within AD DS.

Active Directory Domain Services (AD DS) is typically deployed as a common directory service shared between various business divisions within an organization. Using a common directory service helps reduce the costs associated with maintaining the infrastructure, but introduces a number of other considerations:

  • How to manage users and resources independently between divisions when decentralized administration is required

  • Ensuring that administrators or users can only perform permitted tasks within their own business division

  • Ensuring that specific objects or information stored within the directory is only available to administrators with the appropriate permissions

These considerations can be addressed by a thorough understanding of how to delegate administrative tasks. Delegation involves a higher-level administrator granting permissions to other users to perform specific administrative tasks within the Active Directory structure. The Active Directory structure provides a hierarchical view of the directory service: first at the site and domain level, and then at the organizational unit (OU) level within a domain. This hierarchy provides powerful options for managing permissions and delegating administrative tasks at various levels throughout the logical infrastructure.

This chapter describes administrative delegation, starting with a discussion of the various types of tasks that might be delegated within an enterprise. Then it describes object access, the types of permissions that can be assigned to objects residing within the directory, and how to use these permissions for delegation of administration. Finally, the chapter provides information about auditing changes to objects residing within AD DS.

Active Directory Administration Tasks

Active Directory administration tasks typically fall into one of two categories—data management or service management. Data management tasks relate to the management of content that is stored within the Active Directory database. Service management tasks relate to the management of all aspects that are required to ensure a reliable and efficient delivery of the directory service throughout the enterprise.

Table 9-1 describes some of the tasks that are related to each of these categories.

Table 9-1 Active Directory Administration

Category

Tasks

Data management

  • Account management—includes creating, maintaining, and removing user accounts

  • Security group management—includes creating security groups, provisioning security groups to grant access to network resources, managing memberships of security groups, and removing security groups

  • Resource management—includes all aspects of managing network resources such as end-user workstations, servers, and resources hosted on servers such as file shares or applications

  • Group Policy management—includes all aspects of creating, assigning, and removing Group Policy objects within the Active Directory structure

  • Application-specific data management—includes all aspects of managing Active Directory-integrated or enabled applications such as Microsoft Exchange Server

Service management

  • Installation and trust management—includes aspects such as the creation and deletion of domains, the deployment of domain controllers, and the configuration of appropriate Active Directory functional levels

  • Domain controller and directory database management—includes aspects related to the management of domain controller hardware, database maintenance, and the application of service packs and security updates

  • Schema management—includes the extension or modification of the schema to support the deployment of Active Directory-enabled applications

  • Operations master roles management—includes tasks that ensure the proper assignment and configuration of operations master roles

  • Backup and restore management—includes all tasks related to performing regular backups of the directory database and restore procedures when required

  • Replication management—includes all tasks related to the creation, maintenance, and monitoring of the replication topology

  • Security policy management—includes all tasks related to the management of the default domain controller security policy and managing the password, account lockout, and Kerberos account policies

Delegating data and service management tasks within an organization requires an understanding of the administrative needs of all business units. This understanding ensures the most effective delegation model used to provide a more effective, efficient, and secure networking environment. To deploy the delegation model, you need to understand Active Directory object permissions, delegation methods, and auditing. These concepts are discussed in the next few sections.