After a best practice model is developed for controlling access to an ISA server through role-based access control, those groups can then be created and delegated access to an ISA server. Creating Active Directory Groups for Admin Access If an Active Directory environment is utilized, creation of the Access Groups for delegation of ISA administration is straightforward. It is recommended to create the three groups to correspond with the three levels of ISA Administration. To create a group, do the following: NOTE The following procedure illustrates the creation of AD groups in a Windows Server 2003 environment. The procedure is slightly different on a Windows 2000 server. 1. | On an Active Directory domain controller, open Active Directory Users and Computers (ADUC) by clicking Start, All Programs, Administrative Tools, Active Directory Users and Computers. | 2. | In ADUC, drill down through the console tree and locate the Organizational Unit where the group is to be created. Right-click that OU (the default is the Users container, if no other OU has been specified) and select New, Group. | 3. | Enter a descriptive group name (with the same name entered into the preWindows 2000 field) and enter the group scope and type, similar to what is shown in Figure 16.1. For an access group, select Domain Local and Security and click Next. Figure 16.1. Creating an AD group for ISA administration. | 4. | Do not check to create an Exchange email address if prompted, and click Next. | 5. | Click Finish to create the group. | 6. | Add groups as necessary, using the concepts illustrated in the previous sections of this chapter as a guide. | Creating Local Server Users and Groups for Admin Access On an ISA Server that is not a domain member, users and groups can be created to serve the same purpose. To create local user accounts on the ISA server, do the following: 1. | On the ISA Server, click on Start, All Programs, Administrative Tools, Computer Management. | 2. | In the Computer Management console tree, click on Local Users and Groups and expand to the Users folder. | 3. | Right-click the Users folder and select New User. | 4. | Enter a username, full name, description, and password, as shown in Figure 16.2. Do not select to change password at next logon, and click Create to continue. Figure 16.2. Creating a local user account for ISA administration. | 5. | Enter any other users as necessary, using the same process. | After the user accounts have been created, groups can be created to control access to the ISA console. To create local groups on an ISA server, do the following: 1. | On the ISA Server, click on Start, All Programs, Administrative Tools, Computer Management. | 2. | In the Computer Management console tree, click on Local Users and Groups and expand to the Groups folder. | 3. | Right-click the Groups folder and select New Group. | 4. | Enter a descriptive name for the Group and a description. Click Add to add the local user or users created in the earlier steps as shown in Figure 16.3. Figure 16.3. Adding a local ISA Group for Administrative access. | 5. | Add members and click Create when finished. | 6. | Repeat as necessary to create additional local groups. | Delegating Admin Access to ISA Server After the proper groups have been created, they can be granted to proper administrative rights in ISA Server. To start this process, perform the following steps: 1. | From the ISA Management Console, right-click the Server name in the console tree and choose Administration Delegation. | 2. | Click Next at the wizard's welcome screen. | 3. | At the Delegate Control screen, click the Add button. | 4. | Use the Browse button to locate the group created earlier, such as COMPANYABC\AG-ISA-FullAdmins, select the role that matches the group, such as what is shown in Figure 16.4, and click OK. Figure 16.4. Delegating administrative roles in ISA. | 5. | Click Add again and follow the same process for any other groups that will be delegated access to the ISA Server. Eventually, after the proper groups have been added, the Delegate Control dialog box will look similar to Figure 16.5. Click Next to continue. Figure 16.5. Reviewing newly added administrative delegation roles. | 6. | Click Finish to end the wizard. | 7. | Click Apply and then click OK to save the changes to ISA. | After these procedures are complete, granting administrative access to an ISA Server is as straightforward as adding the proper user account into the appropriate group. |