This is Part II in a four part series by expert Derek Melber on Active Directory Network security.
We investigated the security of domain controllers in Part 1 of this article series. Within that article, we exposed some glaring security vulnerabilities that might exist on your domain controllers. For Part II of this article series, we investigate the security of your Active Directory database and the objects that exist within the database. There are methods of protection and yet allow delegated administration of the objects that reside within the database. The concept of delegating administration to Active Directory can be complex, but with proper design and planning, the delegation can be logical, secure, and manageable.
What is Delegation of administration?
Delegation of administration is an elaborate way to say that the permissions to the Active Directory objects are going to be altered and configured to allow certain users administration access. Active Directory objects, like files and folders, have Access Control Lists (ACLs) which are configured to restrict or allow access to the resource.
The process of delegating administration to control certain Active Directory objects is a new concept within Windows 2000/2003 Active Directory, which was not available in Windows NT. A common, yet important, delegation of administration would be when the members of the HelpDesk are giving the permission to reset passwords for domain user accounts.
Which Active Directory objects can be controlled?
It is important to understand which objects can be controlled to design the placement of the objects within the Active Directory structure. Not all of the Active Directory objects make good candidates for delegating administration.
Here are the Active Directory objects and the common delegation tasks for them:
User accounts - User accounts are the most common objects to be controlled by delegation. Almost any task that is completed for a user account within Active Directory can be delegated. This includes their creation, modification of every user property, resetting the password, and deletion.
Group accounts - The groups that are included within Active Directory include Universal, Global, and Domain Local. The most common delegated task over these objects is controlling the membership within the group. Creation and deletion of group accounts is also commonly delegated.
Computer accounts - The creation of computer accounts is typically done by a user joining his or her computer to the domain. Active Directory allows every user the ability to add 10 computers to the domain. Although there are plenty of tasks that need to be completed to secure computers, none of them are done with the computer account within Active Directory. Therefore, it is not common to delegate administration to these objects.
Common delegation scenarios
Most medium to large Active Directory enterprises use delegation of administration. Some common scenarios that you might see include:
The members of the HelpDesk group can reset passwords for all users, except for the IT staff, HR employees, and executives.
Members of the HR managers group can change membership of all HR related groups.
Members of the HR staff group can modify the addresses and phone numbers for all employee user accounts.
Active Directory provides an excellent means for the administrators to delegate certain tasks to junior administrators and other reliable company employees. This concept of delegation is excellent for both user and group control. Delegation can be set down to the object properly level, even as granular as giving some users that ability to reset the password for other user accounts within the directory. Care must be taken when this delegation is provided, as it does open up the security of Active Directory.
Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore and also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at mailto:firstname.lastname@example.org.