Delegating Account Group Maintenance

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To delegate permission to maintain account group memberships, you can apply the account group/resource group/admin group model, by which you extend the AG/RG model to accommodate a third kind of security group, the departmental admin group.

Admin groups are usually domain local groups that consist of members of the local business unit, such as managers or trusted clerical workers. A departmental admin group has permission to manage the membership of the department’s security groups, and sometimes manages other department resources as well. The departmental admin group is added to the ACL of a business unit’s OU, or to the ACLs of the individual user and resource groups. Although the departmental admin group has permission to manage group membership, it cannot create and delete groups.

Each department has its own departmental admin group with specific permission to change membership of the department’s account groups. Because membership in the departmental admin group gives a user the ability to add any forest user to departmental account groups, the departmental administrators must be highly trusted employees.

Consequently, you also must carefully determine who controls the membership of the admin group itself. Allowing departmental administrators to self-administer their admin groups is a security risk, because such delegated authority can be misused. Relatively little effort is required to maintain the departmental admin groups, so it is more secure to have the central IT department administer them. In this way, the IT department can delegate account group maintenance to specific individuals in each department, and these assignments cannot be changed without IT participation.