We investigated securing your domain controllers in Part 1 of this series on Active Directory security. Within that article, we exposed some major security vulnerabilities that may exist on your domain controllers and recommended some Group Policy settings to help mitigate the risk. For Part II of this article series, we investigate the delegated administration of the objects that reside within the database. The concept of delegating administration to Active Directory can be complex, but with proper design and planning, the delegation can be logical, secure and manageable.
What is delegation of administration?
Delegation of administration is an elaborate way of saying that permissions to AD objects are altered and configured to allow certain users administrative access. Active Directory objects, like files and folders, have Access Control Lists (ACLs), which are configured to restrict or allow access to the resource.
The process of delegating administration for the control of certain Active Directory objects is a new concept within Windows 2000/2003 Active Directory, which was not available in Windows NT. A common, yet important, example of delegation of administration would be when members of the help desk are given permission to reset passwords for domain user accounts.
Which Active Directory objects can be controlled?
Not all Active Directory objects make good candidates for delegating administration, and it is important to understand which ones can be controlled to design the placement of the objects within the Active Directory structure.
Here are the Active Directory objects and the common delegation tasks for each one:
User accounts -- User accounts are the most common objects to be controlled by delegation. Almost any task that is completed for a user account within Active Directory can be delegated. This includes their creation, modifications of every user property, resetting the passwords and account deletions.
Group accounts -- The groups within Active Directory include Universal, Global and Domain Local. The most common delegated task over these objects is controlling the membership within the group. Creation and deletion of group accounts is also commonly delegated.
Computer accounts -- A user joining his or her computer to the domain typically creates computer accounts. Active Directory allows every user to add 10 computers to the domain. Although there are plenty of tasks that need to be completed to secure computers, none of them are done with the computer account within Active Directory. Therefore, it is not common to delegate administration to these objects.
Circumstances for performing the delegation
Microsoft has built in a wizard that helps deploy permissions for some of the most common scenarios for delegation. The Delegation of Control Wizard, which is available at each level within the Active Directory structure, allows granular control over who can perform which duties to objects within Active Directory. Typically, the Wizard is used to control permissions over objects at the organization unit level.
To start the Wizard, right click on the appropriate organizational unit. You will see a Delegate Control menu option, which is where you will start the Wizard. The Wizard first asks you which group you want to delegate permissions to. This is key, in that the group does not need to reside within the organizational unit that is being delegated. Next, the Wizard provides a preset list of common delegations to choose from, including:
- Resetting user account passwords
- Creating and deleting user accounts
- Creating and deleting group accounts
- Modifying group membership
If the list of common delegation tasks is not enough, you can always customize delegations down to the object attribute level. This would include the highly granular control over user, group and computer objects that are located in Active Directory.
Active Directory provides an excellent means for administrators to delegate certain tasks to junior administrators and other reliable company employees. The concept of delegation works for both user and group controls. Delegation can be set down to the object properly level, even as granular as giving some users the ability to reset the password for other user accounts within the directory. Care must be taken when providing this delegation, as it can jeopardize the security of Active Directory.
About the author: Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore and also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at firstname.lastname@example.org.