As a best practice, the SANS Institute recommends securing your network by implementing the principle of least privilege as a measure to protect your network. As a consultant I find it very common for organizations to simply add administrators to the Domain Admins security group in Active Directory. This is an acceptable practice for small organizations, or where a central administration model is used. However, in larger organizations this can lead to chaos, a lack of accountability, and a security risk.
The Active Directory Users and Computers management console includes a Delegation of Control Wizard and has been around since Windows 2000. The delegation wizard assists you in granting an ordinary user (without super powers) to perform administrative tasks such as resetting passwords or managing security group membership. So rather than adding a user to the Domain Admins group, you can grant users the bare minimum security privilege they need to accomplish a specific administrative task.
Delegating administration is quite simple, open Active Directory Users and Computers, right click on an OU and select Delegate Control. A great TechNet article to follow is a Step-by-Step Guide to Using the Delegation of Control Wizard.
The Big Disappoinment
Walking through this wizard the first time, you may be think wow, this is great. Immediately you realize this would be great for my workstation technicians, I could allow them to manage Active Directory computer accounts. So you create your security group “Workstation Techs” and start the wizard a second time only to realize there are only 11 tasks to delegate, none of which include computer accounts. Upgrading from Windows Server 2003 to a Windows Server 2008 domain doesn’t add any additional functionality in this area. The delegation wizard now begins to look like a half baked solution.
Finding a Solution
But wait, there is hope after all. The Delegation of Control Wizard is actually derived from a text file located in C:\Windows\Inf\delegwiz.inf and can be customized. So, if you replace the contents or your delegwiz.inf file with the contents in this article, Active Directory Delegation Wizard File you will end up with 70 tasks that can be delegated. The Delegation of Control Wizard now becomes a very powerful and useful tool.
Recently in our company we implemented active directory management solution from scriptlogic that includes a tool called active roles server.
The tool is a perfect way for role based active directory administration. It’s also great for implementing access templates and automating user provisioning/de-provisioning.
Comment by Anthony Hartwell — June 25, 2008 @ 3:54 pm
Thanks for pointing out the 70 additional tasks that can easily be delegated via the Delegation Wizard – this is very helpful.
I spoke to guys at MCS and they recommended using the guidelines in Microsoft’s delegation paper to easily implement roles-based delegation natively in Active Directory itself. They pointed me to a helpful article on the benefits of delegating in AD itself, as opposed to using a 3rd party solution – http://www.activedirsec.com/delegation_benefits.html
Quest’s products seem to be expensive to buy, and seem to require the need to maintain additional hardware and secure these additional machines. I would rather delegate and undelegate in Active Directory itself, at no additional cost, and with the comfort of the security and reliability of Windows Server.
Let’s hope that Microsoft can deliver a roles-based solution in Active Directory itself in the next version.
Comment by John Mcintyre — June 9, 2009 @ 4:16 pm
There is obviously a lot to know about this. There are some good points here.
I’m Out!
Comment by online stock trading advice — January 11, 2010 @ 5:37 am