AD instructor and author
Are the risks associated with the delegation of authority in Active Directory worth the operational efficiencies and cost savings? We asked Doug Paddock and Carol Miller, two of our most informed and opinionated contributors, to weigh in on the subject. In the first of this two-part series, Paddock and Miller discuss the politics of delegation: how do you choose users or groups of users to empower? Part two discusses security and training.
SearchWin2000: Why would a company want to give individual users or groups of users more authority, with or without Active Directory? Isn't that risky?
Paddock: In its courses, Microsoft is touting delegation of authority in Active Directory as a cost-saver. That's particularly apparent in such AD classes as Course 2154, "Implementing and administering Microsoft Windows 2000 directory services," and Course 1561, "Designing a Microsoft Windows 2000 directory services infrastructure." Also, the subject turns up again and again in Microsoft's articles on Windows 2000 total cost of ownership (TCO) and return on investment (ROI). I personally like delegating, but only to higher, more trained power users and help desk personnel. AD delegation is not for a conservative, low-risk company, but [it] might help a younger organization that is willing to invest in time and training.
Miller: You will get some increased operational efficiency by delegating control-- but there are serious risks involved. For example, if you delegate authority to your help desk to, let's say, modify a group policy object (GPO), you must make sure your help desk knows how group policies are connected to each other. Also, if someone on the help desk makes a change to a GPO, will he or she know how to document those changes and provide a systems audit trail? I would assume that in most cases, the answer to those questions would be 'probably not.'
SearchWin2000: Who should be making the delegation decisions in an organization?
Paddock: Management should always be involved in these decisions. Documented procedures for delegation of authority, including the rights to be granted and who may do so, must be created and adhered to. You must enlist input from all your major stakeholders, especially the IT department and security team. A full case -- from best scenario and savings to worst scenario and possible losses -- must be presented and balanced to find the optimal mix for a given organization.
Miller: Those who know the system and structure the best, and how to recover from errors, are the individuals that should make or break the case for delegation. Management may want control given to those who work at the help desk but, ultimately, it is the IT staff who will repair delegation problems and maintain consistency. Should you delegate authority to users who don't know how to fix consequential problems? I don't think so.
SearchWin2000: What are some limits to consider when you delegate authority?
Paddock: The degree of authority you are willing to delegate will depend on your staff's level of training and the risks you as a network administrator are willing to take. I would look very closely at my audit policies before I delegated anything. That will ensure that you have all bases covered in the event of abuse of trust or accidental misuse of privileges.
Miller: Administrators should always maintain the highest level of control. Should the need arise (financially or politically) to delegate authority to certain groups or individual users, I would strongly recommended that you document procedures and processes in order to maintain consistency throughout the AD structure.
>> Continue to part two
For more information: