Delegating Administrative Tasks
This chapter has thus far discussed how to ensure the security of Active Directory objects. This has been in preparation for this section, which applies the security options to delegate administrative tasks. Because every object in Active Directory has an ACL, you can control administrative access down to any property on any object. This means that you can grant other Active Directory administrators very precise permissions so that they can perform only the tasks they need to do.
Although you can get extremely specific about delegating administrative permissions, you should maintain a balance between keeping things as simple as possible and meeting your security requirements. In most cases, delegating administrative permissions in Active Directory falls under one of the following scenarios:
Assigning full control of one OU This is a fairly common scenario when a company has multiple offices with local administrators in each office who need to manage all objects in the local office. This option also may be used for companies that have merged multiple resource domains into OUs in a single Active Directory domain. The former resource domain administrators can be given full control of all objects in their specific OU. Using this option means that you can almost completely decentralize the administration of your organization while still maintaining a single domain.
Assigning full control of specific objects in an OU This is a variation on the first scenario. In some cases, a company may have multiple offices, but local administrators should have permission to manage only specific objects in the office OU. For example, you may want to allow a local administrator to manage all user and group objects, but not computer objects. In a situation in which resource domains have become OUs, you may want OU administrators to manage all computer accounts and domain-local groups in their OU, but not to manage any user objects.
Assigning full control of specific objects in the entire domain Some companies have highly centralized user and group administration, in which only one group has permission to add and delete user and group accounts. In this scenario, this group can be given full control of user and group objects regardless of where the objects are located within the domain. This is also a fairly common scenario for a company with a centralized desktop and server administration group. The desktop team may be given full control of all computer objects in the domain.
Assigning rights to modify only some properties for objects In some cases, you may want to give an administrative group permission to manage a subset of properties on an object. For example, you may want to give an administrative group permission to reset passwords on all user accounts, but not to have any other administrative permissions. Or the Human Resources department may be given permission to modify the personal and public information on all user accounts in the domain, but not permission to create or delete user accounts.
It is possible to use all of these options, and any combination of these options, with Windows Server 2008 AD DS. As mentioned previously, one way to configure delegated permissions is by directly accessing the ACL for an object and configuring the permissions. The problem with this option is that it can get quite complex because of the number of options available and the real possibility of making a mistake.
To make this task easier, AD DS includes the Delegation Of Control Wizard. To use the Delegation Of Control Wizard, follow these steps:
Open the Active Directory Users And Computers administrative console and identify the parent object where you want to delegate control. In most cases, you will be delegating control at an OU level, but you can also delegate control at the domain or container level (for example, the Computers or Users container). Right-click the parent object and click Delegate Control. Click Next.
On the Users Or Groups page, add the users or groups to which you want to delegate control. Click Add to search Active Directory for the appropriate users or groups.
Next, select the tasks that you want to delegate. The interface (shown in Figure 9-13) enables you to select from a list of common tasks or to create a custom task to delegate.
Figure 9-13 Using the Delegation Of Control Wizard to select a common task or create a custom task to delegate.
If you choose to create a custom task, you can choose the type or types of objects to which you want to delegate administrative permissions. (Figure 9-14 shows the interface.)
Figure 9-14 Selecting the type of object or objects to which permissions will be delegated.
After you have selected the type of object to which to delegate permissions, you can choose what levels of permissions you want to apply to the object. You can choose full control over the object, or you can delegate permissions to specific properties. (The interface is shown in Figure 9-15.)
Figure 9-15 Selecting the specific permissions to delegate.
The Delegation Of Control Wizard makes it much easier to delegate control in a consistent manner than when configuring permissions through the ACL. However, the effect of either method is the same; that is, the ACL on the objects is modified to provide the appropriate level of access.