Step 2 — Implement the Administrative Delegation Model for Contoso Service Management
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The service administrators implement the service delegation model according to the following criteria:
Objective: Implement the service management delegation model
Stakeholders: Enterprise Admins
Approach: Implement each role instance according to the delegation model design document
Assumption: The three domains have been installed and are running
Out-of-Box Container Hierarchy for the Forest Root Domain
When the first domain controller is installed to create the forest root domain of the Contoso forest, the default set of containers shown in Figure 11 is created:
.gif "74c7e060-e7f5-49c6-8c91-d1be80d284c9")
Creating an OU to Store Security Groups That Represent Service Roles
To more easily manage the instances of the Business Unit Admins role, Contoso follows the recommendation to store all instances of the Business Unit Admins roles in one place. A member of the Enterprise Admins group creates an OU called Service Management in the forest root domain, as shown in Figure 12.
.gif "59710131-4708-4192-bd9f-d5a2e1532eeb")
Implementing the Service Administration Role Instances
Contoso implements the service administration role instances according to the service delegation model.
Implementing Forest Configuration Operators
A member of Enterprise Admins creates one instance of this role by carrying out the following steps.
To implement the Forest Configuration Operators role
In the concorp.contoso.com domain, create the following security group under the Service Management OU:
Group Name: Contoso Forest Config Ops.
Group Type: Universal if the forest root domain is in native mode, otherwise global. “Native mode” has the following meaning, depending on the operating system:
Windows Server 2003: the domain functional level is Windows 2000 native or Windows Server 2003.
Windows 2000: the domain mode is native.
Grant the following permissions to Contoso Forest Config Ops:
Note
The extended rights in these procedures are presented in common-name format, which you can use to script extended rights assignments. To manually assign extended rights, you can use Active Directory Users and Computers to assign rights on domain objects and use ADSI Edit to assign rights on objects in the configuration and schema containers. For the mapping of common names used below to display names that are used in the ADSI Edit UI, see Appendix D: Active Directory Extended Rights. To apply extended rights that are not found in the UI, use Dsacls.exe, which is available in Windows Support Tools.
Extended rights:
DS-Replication-Get-Changes on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Get-Changes on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Get-Changes-All on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Get-Changes-All on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Manage-Topology on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Manage-Topology on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Synchronize on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Synchronize on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
Change-Schema-Master on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
Change-Domain-Master on CN=Partitions,CN=Configuration,DC=concorp,DC=contoso,DC=com
Permissions on CN=Sites,CN=Configuration,DC=concorp,DC=contoso,DC=com:
Inherit-only Full-Control permissions on all objects of class NTDS-Settings
Inherit-only Create Child permissions to be able to create and delete objects of class Server
Inherit-only Delete Child permissions to be able to delete objects of class NTDS-Settings
Inherit-only Delete Child permissions to be able to delete objects of class Server
Inheritable Full Control permissions on:
CN=Partitions,CN=Configuration,DC=concorp,DC=contoso,DC=com
CN=sites,CN=Configuration,DC=concorp,DC=contoso,DC=com
Property permissions Read-Property and Write-Property to the FSMO-Role-Owner property on the following objects:
CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
CN=Partitions,CN=Configuration,DC=concorp,DC=contoso,DC=com
Property permissions Read-Property and Write-Property to the LDAP-Admin-Limits property on the following object:
- CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=concorp,DC=contoso,DC=com
Property permissions Read-Property and Write-Property to the ms-DS-Behavior-Version property on the following objects:
- CN=Partitions,CN=Configuration,DC=concorp,DC=contoso,DC=com
Inheritable Full Control permissions on the following objects:
CN=System,DC=concorp,DC=contoso,DC=com
CN=System,DC=noam,DC=concorp,DC=contoso,DC=com
CN=System,DC=europe,DC=concorp,DC=contoso,DC=com
Note
If the forest root domain is not in native mode, universal groups are not available. In this case, create a new domain local group in each domain and grant that group the permissions specified earlier in this procedure. Then make the Contoso Forest Config Ops global group a member of these domain local groups.
Create Child permissions on the following OUs:
OU=Domain Controllers,DC=concorp,DC=contoso,DC=com
OU=Domain Controllers,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Domain Controllers,DC=europe,DC=concorp,DC=contoso,DC=com
Grant the Creator Owner trustee Full Control on the following objects:
The computer object that represents the server that will be promoted to create a new domain.
CN=sites,CN=Configuration,DC=concorp,DC=contoso,DC=com
Add Contoso Forest Config Ops to the local Administrators group of any member server that is to be promoted to a Domain Controller.
Implementing Domain Configuration Operators
A member of Enterprise Admins creates three instances of this role, one for each domain, by performing the following steps.
To implement the Domain Configuration Operators role, forest root domain instance, for concorp.contoso.co
In the concorp.contoso.com domain, create the following security group under the Service Management OU:
Group Name: Contoso Root Dom Config Ops
Group Type: Universal if the forest root domain is in native mode, otherwise global. “Native mode” has the following meaning, depending on the operating system:
Windows Server 2003: the domain functional level is Windows 2000 native or Windows Server 2003.
Windows 2000: the domain mode is native.
Grant the following permissions to Contoso Root Dom Config Ops:
Extended rights:
DS-Install-Replica on DC=Contoso,DC=com
DS-Replication-Get-Changes on DC=contoso,DC=com
DS-Replication-Get-Changes on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Get-Changes on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Get-Changes-All on DC=contoso,DC=com
DS-Replication-Get-Changes-All on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Get-Changes-All on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Manage-Topology on DC=contoso,DC=com
DS-Replication-Manage-Topology on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Manage-Topology on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on DC=contoso,DC=com
DS-Replication-Monitor-Topology on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Synchronize on DC=contoso,DC=com
DS-Replication-Synchronize on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Synchronize on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
Change-RID-Master on CN=RID Manager$,CN=System,DC=contoso,DC=com
Change-Infrastructure-Master on DC=contoso,DC=com
Change-PDC on DC=contoso,DC=com
Permissions on CN=Sites,CN=Configuration,DC=concorp,DC=contoso,DC=com:
Inherit-only Full-Control permissions on all objects of class NTDS-Settings
Inherit-only Create Child permissions to be able to create and delete objects of class Server
Inherit-only Delete Child permissions to be able to delete objects of class NTDS-Settings
Inherit-only Delete Child permissions to be able to delete objects of class Server
Inheritable Full Control permissions on:
CN=System,DC=contoso,DC=com
CN=System,DC=noam,DC=concorp,DC=contoso,DC=com
CN=System,DC=europe,DC=concorp,DC=contoso,DC=com
Note
If the forest root domain is not in native mode, universal groups are not available. In this case, create a new domain local group in each domain and grant that group the permissions specified earlier in this procedure. Then make the Contoso Root Dom Config Ops global group a member of these domain local groups.
Create Child permissions on:
OU=Domain Controllers,DC=contoso,DC=com
OU=Domain Controllers,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Domain Controllers,DC=europe,DC=concorp,DC=contoso,DC=com
Note
If the forest root domain is not in native mode, universal groups are not available. In this case, create a new domain local group in each domain and grant that group the permissions specified earlier in this procedure. Then make the Contoso Root Dom Config Ops global group a member of these domain local groups.
Property permissions Read-Property and Write-Property to the FSMO-Role-Owner property on:
DC=concorp,DC=contoso,DC=com
CN=RID Manager$,CN=System,DC=concorp,DC=contoso,DC=com
CN=Infrastructure,DC=concorp,DC=contoso,DC=com
Grant the Creator Owner Trustee Full Control on:
The computer object that represents the server that will be promoted to create a new domain
CN=sites,CN=Configuration,DC=concorp,DC=contoso,DC=com
Grant the permission Enable computer and user accounts to be trusted for delegation by adding Contoso Root Dom Config Ops to the User Rights Assignment setting in Domain Controller Security Policy for concorp.contoso.com.
Prior to creating a new domain, add Contoso Root Dom Config Ops to the local Administrators group of the member server that is to be promoted to a domain controller.
To implement the Domain Configuration Operators role, NOAM.contoso.com domain instance
In the concorp.contoso.com domain, create the following security group under the Service Management OU:
Group Name: NOAM Dom Config Ops
Group Type: Universal if the forest root domain is in native mode, otherwise global
Grant the following permissions to NOAM Dom Config Ops:
Extended rights:
DS-Replication-Get-Changes on DC=noam,DC=concorp,DC=contoso,DC=com
DS-Replication-Get-Changes on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Get-Changes on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Get-Changes-All on DC=noam,DC=concorp,DC=contoso,DC=com
DS-Replication-Get-Changes-All on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Get-Changes-All on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Manage-Topology on DC=noam,DC=concorp,DC=contoso,DC=com
DS-Replication-Manage-Topology on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Manage-Topology on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on DC=noam,DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Synchronize on DC=noam,DC=concorp,DC=contoso,DC=com
DS-Replication-Synchronize on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Synchronize on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com”
Change-RID-Master on CN=RID Manager$,CN=System,DC=noam,DC=concorp,DC=contoso,DC=com
Change-Infrastructure-Master on DC=noam,DC=concorp,DC=contoso,DC=com
Change-PDC on DC=noam,DC=concorp,DC=contoso,DC=com
Permissions on CN=Sites,CN=Configuration,DC=concorp,DC=contoso,DC=com:
Inherit-only Full-Control permissions on all objects of class NTDS-Settings
Inherit-only Create Child permissions to be able to create and delete objects of class Server
Inherit-only Delete Child permissions to be able to delete objects of class NTDS-Settings
Inherit-only Delete Child permissions to be able to delete objects of class Server
Inheritable Full Control permissions on:
CN=System,DC=noam,DC=concorp,DC=contoso,DC=com
Note
If the forest root domain is not in native mode, universal groups are not available. In this case, create a new domain local group in each domain and grant that group the permissions specified earlier in this procedure. Then make the NOAM Dom Config Ops global group a member of these domain local groups.
Create Child permissions on:
OU=Domain Controllers,DC=noam,DC=concorp,DC=contoso,DC=com
Note
If the forest root domain is not in native mode, universal groups are not available. In this case, create a new domain local group in each domain and grant that group the permissions specified earlier in this procedure. Then make the NOAM Dom Config Ops global group a member of these domain local groups.
Property permissions Read-Property and Write-Property permissions to the FSMO-Role-Owner property on:
DC=noam,DC=concorp,DC=contoso,DC=com
CN=RID Manager$,CN=System,DC=noam,DC=concorp,DC=contoso.com
CN=Infrastructure,DC=noam,DC=concorp,DC=contoso,DC=com
Grant the Creator Owner trustee Full Control on:
The computer object that represents the server that will be promoted to create a new domain
CN=sites,CN=Configuration,DC=concorp,DC=contoso,DC=com
Grant the permission Enable computer and user accounts to be trusted for delegation by adding NOAM Dom Config Ops to the User Rights Assignment setting in Domain Controller Security Policy for the noam.concorp.contoso.com.
Prior to creating a new domain, add NOAM Dom Config Ops to the local Administrators group of the member server that is to be promoted to a domain controller.
To implement the Domain Configuration Operators role, Europe.contoso.com domain instance
In the concorp.contoso.com domain, create the following security group under the Service Management OU:
Group Name: EUROPE Dom Config Ops
Group Type: Universal if the forest root domain is in native mode, otherwise global
Grant the following permissions to EUROPE Dom Config Ops:
Extended rights:
DS-Replication-Get-Changes on DC=europe,DC=concorp,DC=contoso,DC=com
DS-Replication-Get-Changes on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Get-Changes on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Get-Changes-All on DC=europe,DC=concorp,DC=contoso,DC=com
DS-Replication-Get-Changes-All on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Get-Changes-All on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Manage-Topology on DC=europe,DC=concorp,DC=contoso,DC=com
DS-Replication-Manage-Topology on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Manage-Topology on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on DC=europe,DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Synchronize on DC=europe,DC=concorp,DC=contoso,DC=com
DS-Replication-Synchronize on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Synchronize on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
Change-RID-Master on CN=RID Manager$,CN=System,DC=europe,DC=concorp,DC=contoso,DC=com
Change-Infrastructure-Master on DC=europe,DC=concorp,DC=contoso,DC=com
Change-PDC on DC=europe,DC=concorp,DC=contoso,DC=com
Permissions on CN=Sites,CN=Configuration,DC=concorp,DC=contoso,DC=com:
Inherit-only Full-Control permissions on all objects of class NTDS-Settings
Inherit-only Create Child permissions to be able to create and delete objects of class Server
Inherit-only Delete Child permissions to be able to delete objects of class NTDS-Settings
Inherit-only Delete Child permissions to be able to delete objects of class Server
Inheritable Full Control permissions on:
CN=System,DC=europe,DC=concorp,DC=contoso,DC=com
Note
If the forest root domain is not in native mode, universal groups are not available. In this case, create a new domain local group in each domain and grant that group the permissions specified earlier in this procedure. Then make the EUROPE Dom Config Ops global group a member of these domain local groups.
Create Child permissions on:
OU=Domain Controllers,DC=europe,DC=concorp,DC=contoso,DC=com
Note
If the forest root domain is not in native mode, universal groups are not available. In this case, create a new domain local group in each domain and grant that group the permissions specified earlier in this procedure. Then make the EUROPE Dom Config Ops global group a member of these domain local groups.
Property permissions Read-Property and Write-Property permissions to the FSMO-Role-Owner property on:
DC=europe,DC=concorp,DC=contoso,DC=com
CN=RID Manager$,CN=System,DC=europe,DC=concorp,DC=contoso.com
CN=Infrastructure,DC=europe,DC=concorp,DC=contoso,DC=com
Grant the Creator Owner trustee Full Control on:
The computer object that represents the server that will be promoted to create a new domain
CN=sites,CN=Configuration,DC=concorp,DC=contoso,DC=com
Grant Enable computer and user accounts to be trusted for delegation by adding EUROPE Dom Config Ops to the User Rights Assignment setting in Domain Controller Security Policy for the europe.concorp.contoso.com.
Prior to creating a new domain, add EUROPE Dom Config Ops to the local Administrators group of the member server that is to be promoted to a domain controller.
Implementing Schema Admins
A member of Enterprise Admins creates one instance of this role.
To implement the Schema Admins role
- Move the default security group Schema Admins from its default location in the Users container to the Service Management OU. By default, the Schema Admins group has sufficient permissions to manage the Active Directory schema.
Implementing Replication Management Admins
A member of Enterprise Admins creates one instance of this role.
To implement the Replication Management Admins role
In the concorp.contoso.com domain, create the following security group under the Service Management OU:
Group Name: Contoso Repl Mgmt Admins
Group Type: Universal if the forest root domain is in native mode, otherwise global. “Native mode” has the following meaning, depending on the operating system:
Windows Server 2003: the domain functional level is Windows 2000 native or Windows Server 2003.
Windows 2000: the domain mode is native.
Grant the following permissions to Contoso Repl Mgmt Admins:
Extended rights:
DS-Replication-Manage-Topology on DC=concorp,DC=contoso,DC=com
DS-Replication-Manage-Topology on DC=noam,DC=concorp,DC=contoso,DC=com
DS-Replication-Manage-Topology on DC=europe,DC=concorp,DC=contoso,DC=com
DS-Replication-Manage-Topology on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Manage-Topology on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on DC=noam,DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on DC=europe,DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
Full Control permissions on CN=Sites,CN=Configuration,DC=concorp,DC=contoso,DC=com:
Implementing Replication Monitoring Operators
A member of Enterprise Admins creates one instance of this role.
To implement the Replication Monitoring Operators role
In the concorp.contoso.com domain, create the following security group under the Service Management OU:
Group Name: Contoso Repl Monitoring Ops
Group Type: Universal if the forest root domain is in native mode, otherwise global. “Native mode” has the following meaning, depending on the operating system:
Windows Server 2003: the domain functional level is Windows 2000 native or Windows Server 2003.
Windows 2000: the domain mode is native.
Grant the following permissions to Contoso Repl Monitoring Ops:
Extended rights:
DS-Replication-Monitor-Topology on DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on DC=noam,DC=concorp,DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on DC=europe,DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on CN=Configuration,DC=concorp,DC=contoso,DC=com
DS-Replication-Monitor-Topology on CN=Schema,CN=Configuration,DC=concorp,DC=contoso,DC=com
Note
If your Active Directory environment is a Windows 2000 environment, the Replication-Monitor-Topology extended right is not available. In this case, grant the Replication-Manage-Topology extended right on all of the objects specified in the preceding step.
Full Control permissions on CN=Sites,CN=Configuration,DC=concorp,DC=contoso,DC=com:
Implementing DNS Admins
A member of Enterprise Admins creates four instances of this role, as follows:
Contoso Forest DNS Admins for the entire forest
Contoso DNS Admins for the concorp.contoso.com domain
NOAM DNS Admins for the noam.concorp.contoso.com domain
Europe DNS Admins for the europe.concorp.contoso.com domain
To implement the DNS Admins role, Concorp instance
First the domain instances are implemented, and then the forest root instance, which must be added to the security groups for each domain instance.
In the concorp.contoso.com domain, create the following security group under the Service Management OU:
Group Name: Concorp DNS Admins
Group Type: Universal if the forest root domain is in native mode, otherwise global. “Native mode” has the following meaning, depending on the operating system:
Windows Server 2003: the domain functional level is Windows 2000 native or higher.
Windows 2000: the domain mode is native.
Grant the following permissions to Concorp DNS Admins:
Full Control on CN=MicrosoftDNS,CN=System,DC=concorp,DC=contoso,DC=com
Full Control on CN=MicrosoftDNS,DC=DomainDnsZones,DC=concorp,DC=contoso,DC=com
To implement the DNS Admins role, NOAM DNS Admins instance
In the concorp.contoso.com domain, create the following security group under the Service Management OU:
Group Name: NOAM DNS Admins
Group Type: Universal if the forest root domain is in native mode, otherwise global
Grant the following permissions to NOAM DNS Admins:
Full Control on CN=MicrosoftDNS,CN=System,DC=noam,DC=concorp,DC=contoso,DC=com
Full Control over CN=MicrosoftDNS,DC=DomainDnsZones,DC=noam,DC=concorp,DC=contoso,DC=com
To implement the DNS Admins role, Europe instance
In the concorp.contoso.com domain, create the following security group under the Service Management OU:
Group Name: Europe DNS Admins
Group Type: Universal if the forest root domain is in native mode, otherwise global
Grant the following permissions to Europe DNS Admins:
Full Control on CN=MicrosoftDNS,CN=System,DC=europe,DC=concorp,DC=contoso,DC=com
Full Control over CN=MicrosoftDNS,DC=DomainDnsZones,DC=europe,DC=concorp,DC=contoso, DC=com
To implement the DNS Admins role, Contoso Forest instance
In the concorp.contoso.com domain, create the following security group under the Service Management OU:
Group Name: Contoso Forest DNS Admins
Group Type: Universal if the forest root domain is in native mode, otherwise global
Add the Contoso Forest DNS Admins group to the following groups:
Concorp DNS Admins
NOAM DNS Admins
Europe DNS Admins
Grant the following permissions to Contoso Forest DNS Admins:
- Full Control on CN=MicrosoftDNS,DC=ForestDnsZones,DC=concorp,DC=contoso,DC=com
Implementing Security Policy Admins
A member of Enterprise Admins creates one instance of this role.
To implement the Security Policy Admins role
In the concorp.contoso.com domain, create the following security group under the Service Management OU:
Group Name: Contoso Sec Pol Admins
Group Type: Universal if the forest root domain is in native mode, otherwise global. “Native mode” has the following meaning, depending on the operating system:
Windows Server 2003: the domain functional level is Windows 2000 native or higher.
Windows 2000: the domain mode is native.
Grant the following permissions to Contoso Sec Pol Admins on each of the following objects:
Objects:
DC=concorp,DC=contoso,DC=com
DC=noam,DC=concorp,DC=contoso,DC=com
DC=europeDC=concorp,DC=contoso,DC=com
OU=Domain Controllers,DC=concorp,DC=contoso,DC=com
OU=Domain Controllers,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Domain Controllers,DC=europe,DC=concorp,DC=contoso,DC=com
Permissions:
Read-property permissions to read the GP-Link property
Write-property permissions to read the GP-Link property
Read-property permissions to read the GP-Options property
Write-property permissions to read the GP-Options property
In the properties page for the Domain Controllers OU in each domain, on the Group Policy tab, select the Default Domain Controllers GPO and on the Security tab, grant Full Control to Contoso Sec Pol Admins.
Implementing Service Admin Managers
A member of Enterprise Admins creates one instance of this role.
To implement the Service Admin Managers role
In the concorp.contoso.com domain, create the following security group under the Service Management OU:
Group Name: Contoso Srvc Admin Managers
Group Type: Universal if the forest root domain is in native mode, otherwise global. “Native mode” has the following meaning, depending on the operating system:
Windows Server 2003: the domain functional level is Windows 2000 native or higher.
Windows 2000: the domain mode is native.
In each domain in the forest, modify permissions on the object CN=AdminSDHolder,CN=System,DC=Domain Name, as follows:
Grant Contoso Srvc Admin Managers Full Control on the object.
Revoke permissions granted to the Domain Admins and Builtin Administrators groups.
Note
Although Builtin Administrators will no longer have control over service administrative accounts because of the security descriptor changes in step 2, Builtin Administrators have the privilege Take ownership of objects and other files (a User Rights Assignment setting in Default Domain Controller Security Policy). This privilege can be exercised to take ownership of (and subsequently modify the DACL of) any object, including the service administrative groups and all accounts that are members of these security groups.
Mark the DACL of the Service Management OU as Protected.
Grant Contoso Srvc Admin Managers inheritable Full Control over the Service Management OU.
Modify the DACLs of every group that is created for the purpose of representing roles, as follows:
Revoke all permissions that are granted to Domain Admins.
Revoke all permissions that are granted to Account Operators.
Implementing Domain Controller Admins
A member of Enterprise Admins creates two instances of the Domain Controller Admins role:
Contoso Root & NOAM DC Admins
Europe DC Admins
To implement the Domain Controller Admins role, Contoso Root & NOAM DC Admins instance
In the concorp.contoso.com domain, create the following security group under the Service Management OU:
Group Name: Contoso Root & NOAM DC Admins
Group Type: Universal if the forest root domain is in native mode, otherwise global. “Native mode” has the following meaning, depending on the operating system:
Windows Server 2003: the domain functional level is Windows 2000 native or higher.
Windows 2000: the domain mode is native.
Add Contoso Root & NOAM DC Admins to the security group CN=Administrators,CN=Builtin,DC=contoso,DC=com
Add Contoso NOAM DC Admins to the security group CN=Administrators,CN=Builtin,DC=noam,DC=concorp,DC=contoso,DC=com
Make sure no other group is a member of the Builtin Administrators group in noam.concorp.contoso.com.
To implement the Domain Controller Admins role, Europe DC Admins instance
In the concorp.contoso.com domain, create the following security group under the Service Management OU:
Group Name: Europe DC Admins
Group Type: Universal if the forest root domain is in native mode, otherwise global. “Native mode” has the following meaning, depending on the operating system:
Windows Server 2003: the domain functional level is Windows 2000 native or higher.
Windows 2000: the domain mode is native.
Add Contoso Europe DC Admins to the security group CN=Administrators,CN=Builtin,DC=europe,DC=concorp,DC=contoso,DC=com
Make sure no other group is a member of the Builtin Administrators group in europe.concorp.contoso.com.
Implementing Backup Operators
A member of Enterprise Admins creates three instances of this role, one for each domain.
To implement the Backup Operators role
In the concorp.contoso.com domain, create the following security groups under the Service Management OU:
Group Name:
Contoso Root Backup Operators
NOAM Backup Operators
Europe Backup Operators
Group Type: Universal if the forest root domain is in native mode, otherwise global. “Native mode” has the following meaning, depending on the operating system:
Windows Server 2003: the domain functional level is Windows 2000 native or higher.
Windows 2000: the domain mode is native.
In Domain Controller Security Policy in each domain, grant the following user rights under User Rights Assignment to the respective instance of the Backup Operators role:
Allow log on locally
Back up files and directories
Shut down the system
In Domain Controller Security Policy in each domain, modify the User Rights Assignment settings to remove all user rights settings that are granted by default to the Builtin\Backup Operators group, which are:
Allow log on locally
Back up files and directories
Restore files and directories
Shut down the system
Make sure that no other group is granted these user rights.