Obviously, the ability to delegate administrative tasks to non-administrative level users is often beneficial. Being able to offload menial or low-level tasks to properly trained and eager (or conscripted) users is a bonus to any admin. However, there are numerous operations, tasks and functions that should never be delegated.
Delegating certain forest level or domain level capabilities to non-admin users can place your entire forest or domain at serious risk, including elevation of privileges and denial of service attacks. These risks can be realized at the direct malicious intent of the user as well as through inadvertent mistakes. So, don't risk it. Keep the operations in the following two lists as privileges that only the elite administrators enjoy (or are at least held responsible for).
This is a list of forest level operations that should never be delegated:
- Installing the enterprise CA
- Modifying forest LDAP policy settings
- Modifying the schema
- Managing forest-level operations master roles
- Managing site topology
- Managing crossRef objects
This is a list of domain level operations that should never be delegated:
- Installation and removal of Active Directory
- Software installation on domain controllers
- Outbound trust management
- Replication management
- Domain-level operations master role management
- Domain controller security policy changes
- Domain security policy changes
- and restore operations
Overall you should limit the scope of the operations and privileges you delegate to smaller OUs and to tasks that don't directly compromise the entire domain or forest. For example, partial user management capability and file sharing management.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
This was first published in June 2004