Maintaining the Service Management Delegation Model

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Service delegation models require minimal maintenance under most operating conditions. Tasks that are required to maintain the service delegation model can include:

  • Adding (delegating) or removing (undelegating) members to or from service administration role instances

  • Adding new instances of roles in the event of infrastructure changes such as, but not limited to:

    • Addition of a new branch site that has domain controllers for the domain of the business unit

    • Removal of a branch site

  • Modifying a role by assigning or revoking a new or existing task from the role definition

  • Creating new custom roles if the need arises

  • Undelegating a role completely by revoking all permissions that are granted to the group that represents the role

Adding or Removing Members from Role Instances

To add or remove members from existing role instances, simply modify the membership of the security group representing the role.

Adding New Role Instances

To add a new role instance, follow steps 2 through 4 listed in the Implementing the Service Management Delegation Model section.

Modifying a Role Definition

To modify an existing role definition, perform the following steps:

  1. Modify the documented set of administrative tasks assigned to a specific role definition by adding a new task, removing an existing task.

  2. Identify all existing instances of this role and appropriately modify the permissions granted to the role as follows:

    If a new task was added to the role, determine the minimal and precise set of permissions required to delegate the new task by referring to Appendix A: Active Directory Administrative Tasks in Best Practices for Delegating Active Directory Administration: Appendices, which accompanies this document, and appropriately grant the security group representing the specific instance of this role the set of permissions determined earlier (as indicated in “Appendix A”).

    If an existing task was removed from the role definition, determine the minimal and precise set of permissions that are required to delegate this task by referring to Appendix A: Active Directory Administrative Tasks in Best Practices for Delegating Active Directory Administration: Appendices, which accompanies this document, then ensure that the same setoff permissions (or even one of them) is not required to perform any other tasks in the role definition, and then appropriately revoke assigned permissions for the security group representing the specific instance of this role (as indicated in “Appendix A”).

Creating New Custom Roles

To create a new custom role, perform the following steps:

  1. Understand and document the purpose of the new role.

  2. Assign a set of administrative tasks to this new role.

  3. Determine the minimal and precise set of permissions required to delegate the set of administrative tasks identified earlier.

  4. Document the general scope where permissions must be applied in the directory (or perhaps on the file system or registry or Group Policy on Domain Controllers).

To enable new instances of this role, follow steps 2 through 4 listed in the Implementing the Service Management Delegation Model section.

Undelegating Role Instances

To undelegate existing role instances, perform the following steps:

  1. Revoke all permissions granted to the security group representing the specific instance of the role. This might involve revoking user rights in the Domain Controller Security policy.

  2. Optionally, empty the group membership of the security group representing the specific instance of the role.

  3. To ensure that all permissions have been removed, double-check your documentation and make sure that permissions have been removed from all places where they were initially granted.

    Note

    Dsrevoke.exe, a command-line tool that automatically revokes permissions, can be used to revoke delegated authority, but only on an OU. Because most of the data that is protected by service management role permissions is stored in the configuration and schema directory partitions in Active Directory, or in the file system or registry of a domain controller, manual intervention is usually required to undelegate a service administration role.

Creating custom roles involves using the delegation process that described earlier in this chapter to identify tasks and map them to a group, configure permissions and rights, and then populate the group. The same is true for ad hoc roles, which are removed when the need no longer exists.