Microsoft Windows Security Resource Kit

Designing the Delegation of Authority

Rather than granting all administrators the rights and permissions of Active Directory service administrators by making them members of the Domain Admins or other Active Directory service administrator security groups, as was commonly done in Windows NT domains, Active Directory enables you to place accounts and resources into OUs and delegate an appropriate level of authority over those objects to administrative staff. By doing this, you can create data management administrators who have autonomous or semiautonomous authority over Active Directory objects, domain member computers, and data. The simplest way to do this in Active Directory is to create OUs based on management requirements and to delegate authority over the OU (or objects in the OU) to specific data administrator security groups. Consequently, OUs are the primary management unit in Active Directory. By delegating limited control over objects in a domain, you can minimize the number of Active Directory service administrators while ensuring that data administrators have only the rights and permissions they require to complete their job tasks.

Delegation of administration allows you to create custom administrative security groups that administer the users, computers, or other objects in an OU, OU tree, or domain. To accomplish this, you must first design an effective OU structure. When designing an OU structure, consider three things: Group Policy, delegation of authority, and your organization s management model. Place all objects with similar administrative and security requirements in an OU or OU tree. Then create the custom security groups, and delegate administration of the OUs (or objects in OUs) to the appropriate groups. Windows 2000 offers granular control over the administrative tasks that can be delegated. On an OU, you can delegate authority over the following:

• The OU

• The OU and all child OUs

• Specific types of objects in the OU

• Specific attributes of specific objects in an OU

• Tasks that affect specific types of objects in an OU

You can delegate authority either by setting the permissions on the container by using the object s Security tab, by using command-line utilities such as Dsacls.exe, or by using the Delegation of Control Wizard in the Microsoft Management Console (MMC). The Delegation of Control Wizard might not expose all the permissions you want to modify on an object, so you might need to use the Security tab or even ADSIEdit from the Windows 2000 Support Tools to directly edit the DACL of the object. In some cases, you will need to make further modifications to Windows 2000 to delegate the necessary authority for example, when delegating the ability to unlock accounts.

When delegating authority to objects in Active Directory, you will need to consider how the administrators will manage the objects over which you have given them authority. Several administrative interfaces are available in Windows 2000:

• Server Console

  Performing local administration of a Windows 2000 environment while physically seated at a server is a significant security risk and should be avoided whenever possible. To log on locally to a domain controller, administrative staff must be granted the right to log on locally to the server.

• Terminal Services

  Consider utilizing Terminal Services in remote administration mode for administrative tasks, which requires that you delegate to the user performing the administration the right to connect to the server via a remote administration terminal session, as described in 253831, Remote Administration of Terminal Services by Non-Administrators Accounts . (You can access this article through the Microsoft Knowledge Base at http://support.microsoft.com.) Terminal Services is considered by the system to be an interactive logon, so its users will need the right to log on locally to the server. Because the system does not differentiate between a terminal services local logon and a physical local logon, you must ensure that your servers are secured against physical access by users who have been granted the right to log on locally to facilitate terminal session management.

• MMC

  You can install Windows 2000 Administrative Tools on any Windows 2000 computer by installing Adminpak.msi from the Windows 2000 Server CD or from the System32 directory on any Windows 2000 server installation. By installing these tools on the workstations of administrative staff, you provide them with the interfaces needed to remotely manage servers without granting them local logon rights on those servers. You can limit which MMC snap-ins the administrator can use by implementing the appropriate settings in Group Policy.