Delegating the Administration of Windows Server 2008 Active Directory Domain Services

3/5/2008

Contents

Active Directory Administration Tasks
Accessing Active Directory Objects
Active Directory Object Permissions
Delegating Administrative Tasks
Auditing the Use of Administrative Permissions
Tools for Delegated Administration
Planning for the Delegation of Administration
Summary
Additional Resources

Tools for Delegated Administration

AD DS provides powerful options for delegating administrative tasks and assigning only the precise permissions that users need to have to perform specific tasks. To complement this delegation, Windows Server 2008 also makes it easy to develop administrative tools that fit the user’s task. For example, if you delegate the right to reset passwords for a single OU, you can also provide a very simple administrative tool that can only be used to reset passwords in the specified OU. Windows Server 2008 provides the ability to create a customized view of the Microsoft Management Console (MMC) administrative snap-in in order to allow delegated administrators effective tools to complete their tasks.

Direct from the Source: Working with Third-Party Delegation Tools

Many customers use third-party products to perform delegation. These products usually provide a Web interface and allow administrators to develop custom Web views for daily administrative functions versus creating customized MMCs. When working with customers dealing with branch office scenarios, make sure you understand the business and branch office operational requirements in the event of an extended communications outage. If a customer has highly reliable communication links to the branch office, then this topic isn’t as much of a concern; however, for those customers who don’t have highly reliable communications, it is a subject that needs to be addressed.

In the event of a communications outage, you must understand what the branch office requires to continue to function. In the case of delegation, if the branch office needs to continue to function and system administrative actions still need to occur, but the Web interface required to perform some of these functions is unavailable because it is hosted from headquarters, how will the people at the branch office perform their jobs? If the third-party product instantiated the delegation model natively into Active Directory Users and Computers, then the same restrictions that applied through the Web interface would apply when using native tools. It is important that you, the trusted advisor, have an understanding of how third-party products interface and interact with Active Directory. Having this type of knowledge will allow you to advise and prepare your customers so they are still able to maintain operations when situations such as a communications outage occur.

Barry Hartman

Senior Consultant

Microsoft Consulting Services

Customizing the Microsoft Management Console

One option for developing an administrative tool is to create a customized MMC using one of the default snap-ins and then modify what the user can see in the MMC.

CAUTION

Simply creating the customized MMC does not grant or limit the user’s rights to perform administrative tasks. Before creating the customized administrative interface, you must first delegate the correct level of permissions. For example, if you give a user the right to create user accounts at a domain level, and then you create an MMC that only allows the user to view one OU, the user can still create user accounts in any OU in the domain. If the user loads the regular Active Directory Users And Computers administrative tool or sits down at another desk with a different MMC, the user will be able to create the account anywhere.

To create the customized MMC, open the Run dialog box and type mmc. This opens an empty MMC. From the File menu, add the appropriate Active Directory administrative tool snap-in. If you create a custom MMC using the Active Directory Users And Computers snap-in, you would then expand the domain and locate the container object where you have delegated permissions. In the left pane, right-click on the container object and select New Window From Here.

This opens a new window with just the container object and all child objects visible. You can then switch back to the window that displays the entire domain and close the window. Finally, save the administrative tool and provide it to the users, who will administer only the part of the domain that is visible in the MMC. The MMC can be provided to the user in a number of ways. For example, you may install the MMC on his or her desktop, or you may create a shortcut to the administrative tool on a network share.

To make sure that the administrators do not modify the custom MMC after you have given it to them, you can modify the MMC options by selecting Options from the File menu. You can configure the MMC to be saved in User Mode and modify the permissions on the MMC so that the end user cannot save any changes to the MMC. Figure 9-18 shows the interface. For full details on how to create customized MMCs, see Windows Help And Support.