Best Practices for Delegating Active Directory Administration (Windows Server 2003)
Updated: December 5, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Program Manager: Sanjay Tandon
Writer: Mary Hillman
We thank the following people for their contributions in the creation of the Active Directory Delegation Appendices and the Dsrevoke tool:
Umit Akkus, Nona Allison, Colin Brace, Raman Chikkamagalur, Arren Conner, Raju Dantuluri, Dmitry Dukat, Levon Esibov, Dmitri Gavrilov, Don Hacherl, Saif Hasan, Xin He, David Hou, Gokay Hurmali, Khushru Irani, Kamal Janardhan, Gregory Johnson, Ian Jose, Richa Kumar, Klaas Langhout, William Lees, Xiaozhong Luo, Jaeger Mitchell, Nathan Muggli, Arun Nanda, Rich Randall, Ullattil Shaji, Brett Shirley, Scott Turnbull, Andrea Weiss, Jeff Westhead, and BJ Whalen.
We thank the following people for reviewing the guide and providing valuable feedback:
Laurie Brown, John Craddock, Robert DeLuca, Christoph Felix, Eric Fleischman, Guido Grillenmeier, Mike Hickey, David Kayano, Alain Lissoir, Andreas Luther, Astrid McClean, Paul Rich, Joe Richards, and David Trulli.
The Active Directory® directory service is an integral component of network infrastructures that are based on the Microsoft® Windows Server™ Server 2003, Standard Edition; Windows Server™ 2003, Enterprise Edition; Windows Server™ 2003, Datacenter Edition, and Windows® 2000 Server, Windows® 2000 Advanced Server, and Windows® 2000 Datacenter Server operating systems. Successful management of Active Directory environments requires distribution of administrative responsibilities among multiple administrators according to organizational, operational, legal, and administrative requirements. Having the necessary background information, requirements, practices, and recommendations can help you delegate administration to more securely and efficiently manage Active Directory services and data.
Active Directory provides an enterprise-ready, scalable, distributed directory service that allows organizations to centrally manage and share information about network resources and users, and is at the heart of distributed network security in a Windows Server–based enterprise. Active Directory thus plays a major role in accomplishing the business goals of your organization, and your ability to successfully manage Active Directory has a direct bearing on your ability to accomplish these goals.
Delegation of administration, a key capability of Active Directory, provides a means to successfully manage an Active Directory environment. This document discusses in depth the issues involved in delegating administrative responsibilities, and can help you plan for, implement, and maintain an administrative delegation model that allows secure and efficient management of Active Directory.
This document provides all the information required to create, implement, and maintain a security-conscious and efficient delegation model to manage your Active Directory environments. This information includes an overview of delegation, in-depth explanations of the rationale for delegation, technical descriptions of how delegation works in Active Directory, processes for creating delegation models for both service and data management, the steps needed to implement and maintain the models, and a detailed case study. Appendices to this document provide an exhaustive reference, including a comprehensive list of Active Directory administrative tasks and associated permissions required to delegate every administrative task in Active Directory.
This document does not include Active Directory deployment instructions or recommendations. For information about planning and deploying an Active Directory environment, see Designing and Deploying Directory and Security Services of the Microsoft® Windows® Server 2003 Deployment Kit on the Web at http://go.microsoft.com/fwlink/?LinkID=4719.
This document is intended for Information Technology (IT) professionals who are responsible for managing an Active Directory environment. In most IT infrastructures that consist of multiple integrated components and services, the responsibility to deliver a specific component or service is typically entrusted to a component or service owner, who is responsible for the overall delivery of the component or service.
Ownership of Active Directory environments should be entrusted to two specific owners or owner groups, whose roles are typically strategic and managerial – service owners and data owners. Service owners and data owners have general, overriding responsibility for Active Directory. These usually high-ranking managers are respectively responsible for ensuring reliability and security in the delivery of the directory service and for managing the security of Active Directory content. To that end, they are responsible for delegating and distributing among their administrators responsibility for managing services and content. They do so by creating an administrative delegation model, which documents the distribution of administrative responsibilities among various administrative personnel.
Administrative responsibilities for delegating Active Directory management are divided between:
Service owners, who are responsible for:
Planning, deployment, and long-term maintenance of the Active Directory infrastructure.
Ensuring that the directory continues to function reliably and at the desired level of security.
Ensuring that the goals established in service-level agreements are maintained.
- Planning, deployment, and long-term maintenance of the Active Directory infrastructure.
Data owners, who are responsible for maintaining the information that is stored in or protected by the Active Directory directory service, including:
Management of user and computer accounts.
Management of local resources, such as member servers and workstations and the data they store.
- Management of user and computer accounts.
Service administrators, who represent the operational arm of service owners and are responsible for carrying out the tasks that are required to maintain the delivery of the directory service.
Data administrators, who represent the operational arm of data owners and are responsible for carrying out the tasks that are required to manage the content that is stored in or protected by Active Directory.
This document is intended for service and data owners to help them create a security conscious and efficient administrative delegation model that is tailored to the specific requirements of their organization. It is also intended for the service and data administrators who are responsible for implementing the delegation model.
To accommodate the needs of these different stakeholders, the information in this document is divided into four chapters, a case study and an extensive appendices, as follows:
Chapter 1: Delegation of Administration Overview
This chapter provides an overview of Active Directory management categories and stakeholders and a roadmap for successfully managing delegation of administration in Active Directory. It is targeted at all stakeholders involved in Active Directory management.
Chapter 2: How Delegation Works in Active Directory
This chapter takes an in-depth look at how delegation of administration actually works in Active Directory and presents all the technical aspects involved in delegation of Administration. It contains a wealth of information that will be useful for all stakeholders involved in Active Directory management.
Chapter 3: Delegating Service Management
This chapter presents an end-to-end perspective of Active Directory service management, and provides guidance on how to create, implement, and maintain a secure and efficient administrative delegation model for service management. It is targeted at Service Owners and Service Administrators.
Chapter 4: Delegating Data Management
This chapter presents an end-to-end perspective of Active Directory data management, and provides guidance on how to create, implement, and maintain a secure and efficient administrative delegation model for data management. Though it is targeted at Data Owners and Data Administrators, Service Owners and Service Administrators will also benefit from the information in this chapter.
Case Study: A Delegation Scenario
The case study walks through the creation, implementation, and maintenance of an administrative delegation model for a fictitious Active Directory environment based on the recommendations presented in Chapters 3 and 4. While it is primarily targeted at Service and Data administrators, service and data owners will also benefit from the case-study.
Best Practices for Delegating Active Directory Administration: Appendices
The appendices contain step-by-step procedures to help you administer and maintain Active Directory.