Select the optimal resource account option

  • Article

Applies To: Windows Server 2003 R2

Active Directory Federation Services (ADFS) provides controls that the resource administrator—that is, the ADFS administrator in the resource partner forest—can use to define how resource accounts are used for a particular account partner. The following table describes resource account options and the circumstances in which a resource administrator might use them.

Resource account option Description Can be used when the resource administrator wants to:

Resource accounts exist for all users

Specifies that a resource account is configured for each user from the account partner that needs access to the resource. In this case, incoming group claims are not mapped to resource groups even if resource groups are configured.
  • Maintain complete control over access that is granted to specific account partner users. This option is most suitable for managing a small number of account partner users.

Resource accounts exist for some users (prefer resource account)

Specifies that resource groups are used for some user accounts. This means that some users may have individual resource accounts created for them, while other users may be configured to use resource groups.

When this option is selected, ADFS first looks for resource accounts that match the user principal name (UPN) claim or e-mail claim that is specified in the incoming token. ADFS uses these resource accounts if they exist. Otherwise, if the token has a group claim that is mapped to a resource group, ADFS uses the resource group.
  • Prefer a specific set of account partner users. In addition, this option allows the account partner to manage its users through groups.

  • Override the rights of specific users in a group.

  • Provide specific users who belong in a privileged group in the account partner with more-detailed access to the resource.

Resource accounts exist for some users (prefer groups in token)

This is the default setting. Specifies that ADFS can use its logic to determine if each incoming token maps to a resource group or if it looks for a resource account.

When this option is selected, ADFS first looks in the token for incoming group claims that it can map to a resource group. If ADFS finds the incoming group claims, it uses the resource group. If there is no incoming group claim, ADFS looks for a resource account to use.
  • Prefer delegating account management to an account administrator, including management of a specific set of account partner users.

  • Provide access for specific users who are not in the privileged group in the account organization when they need access to the resource. For example, a resource is accessible only to executives; however, the account administrator needs access to parts of the resource.

  • Move delegation of account management to the account administrator.

No resource accounts exist for this account partner

Specifies that one or more resource groups will be used for all users in this account partner. This means that every token that is issued from this account partner will be required to contain one or more group claims that map to one or more resource groups in the resource partner forest.
  • Completely delegate account management to the account organization.

For more information about how you can modify these resource account options, see Configure resource account options.

Comparing resource account options

Before you select any other option besides the default option, compare the various advantages and disadvantages that can result from using another resource account option, as described in the following table.

Resource account option Advantages Disadvantages

Resource accounts exist for all users
  • Access control list (ACL) model—the resource must be assigned permissions for the security identifier (SID) of the resource account or against SIDs for groups that the resource account is a member of.
  • Administrative cost—high for large-scale account management at the resource partner. Costs can rise, depending on whether the account partner uses privacy enhancements.

Resource accounts exist for some users (prefer resource account)
  • ACL model—the resource must be assigned permissions for the SID of the existing resource accounts, against SIDs for groups that the resource account is a member of, and also the SIDs of resource groups that correspond to groups in the token.

  • Administrative cost—scalable, depending on the number of exception cases.
  • Performance—slow as a result of account lookup

  • Administrative cost—costs can rise, depending on whether the account partner uses privacy enhancements.

Resource accounts exist for some users (prefer groups in token)
  • ACL model—the resource must be assigned permissions for the SID of the existing resource accounts, against SIDs for groups that the resource account is a member of, and also the SIDs of resource groups that correspond to groups in the token.

  • Performance—In most cases, there is better performance. Exceptions are cases in which user account lookup occurs.

  • Administrative cost—scalable, depending on the number of exception cases.
  • Administrative cost—costs can rise, depending on whether the account partner uses privacy enhancements.

No resource accounts exist for this account partner
  • ACL Model—ACL using groups.

  • Performance—Better.

  • Administrative cost—significantly less administrative costs are associated with account partners using privacy enhancements.
  • Administrative cost—low, depending on the number of exception cases