Appendix M: Service Management Delegation Role Definitions

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This appendix presents the set of administrative tasks assigned to every role. The set of recommended roles for delegating service management is as follows:

  • Forest Configuration Operators

  • Domain Configuration Operators

  • Security Policy Administrators

  • Service Admin Managers

  • Domain Controller Administrators

  • Backup Operators

  • Schema Administrators

  • Replication Management Administrators

  • Replication Monitoring Operators

  • DNS Administrators

Forest Configuration Operators Role

The following is the set of administrative tasks assigned to this role:

  • Create a child domain in an existing domain tree

  • Demote the last domain controller in a child domain

  • Demote the last domain controller in a tree-root domain

  • Raise forest functional level

  • Create all types of trusts for all domains

  • Delete all types of trusts for all domains

  • Change the direction of a trust

  • Enable/disable name suffix routing (for a given suffix) in a forest

  • Reset the trust passwords shared by a trust-pair

  • Force the removal of a trust

  • Enable/disable SID History on an outbound forest trust

  • Enable/disable SID filtering

  • Enable selective authentication on an outbound forest/external trust

  • Enable/disable placing of name suffix (top level names) information on a realm trust

  • Add/remove top-level names from a realm trust

  • Add/remove top-level name exclusions from a realm trust

  • Modify the transitivity of a realm-trust

  • Transfer the schema master role

  • Transfer the domain naming master role

  • Seize the schema master role

  • Seize the domain naming master role

  • Manage all LDAP query policy related administrative tasks

Domain Configuration Operators Role

The following is the set of administrative tasks assigned to this role:

  • Create a replica (additional domain controller)

  • Remove a replica

  • Designate a domain controller as a global catalog

  • Undesignate a domain controller as a global catalog

  • Rename a domain controller

  • Raise domain functional level

  • Create a replica (additional domain controller)

  • Remove a replica

  • Transfer the RID master role

  • Transfer the PDC emulator master role

  • Transfer the infrastructure master role

  • Seize the RID master role

  • Seize the PDC emulator master role

  • Seize the infrastructure master role

  • Protect and manage the default domain controllers OU

  • Protect and manage the content stored in the System container

  • Restore Active Directory from backup

Security Policy Admins Role

The following is the set of administrative tasks assigned to this role:

  • Manage all aspects of the Domain Controller Security Policy for all domains in the forest

  • Manage the following aspects of Domain Security Policy for all domains in the forest:

    • Password Policy

    • Account Lockout

    • Kerberos Policy

Service Admin Managers Role

The following is the set of administrative tasks assigned to this role:

  • Manage and protect all service administrator security groups in the forest

  • Manage and protect all service administrator accounts in the forest

Domain Controller Administrators Role

The following is the set of administrative tasks assigned to this role:

  • Install and modify software

  • Install service packs and hot-fixes

  • Configure directory service settings in the registry

  • Maintain and backing up event logs

  • Configure the Service Control Manager

  • Manage directory service files and Sysvol

  • Start and shut down domain controllers

  • Maintain Active Directory database and log files

Backup Operators Role

The following is the set of administrative tasks assigned to this role:

  • Perform scheduled backups of Active Directory system state

Schema Administrators Role

The following is the set of administrative tasks assigned to this role:

  • Enable schema modification on a domain controller in the enterprise

  • Change the current schema master

  • Add a class definition in the schema

  • Add an attribute definition in the schema

  • Modify a class definition in the schema

  • Modify an attribute definition in the schema

  • Update the schema cache on demand

  • Deactivate a schema class object or resurrect a deactivated schema class object

  • Deactivate an attribute class object or resurrect a deactivated schema attribute object

  • Make an attribute indexed

  • Add attributes to the ANR set

  • Designate an attribute as a member of the partial attribute-set that is replicated to the global catalog

  • Remove an attribute from the partial attribute-set that is replicated to the global catalog

Replication Management Administrators Role

The following is the set of administrative tasks assigned to this role:

  • Create a site and add a site

  • Rename a site

  • Specify the location of a site

  • Delete a site

  • Create a subnet and add a subnet

  • Specify the location of a subnet

  • Associate a subnet with a site

  • Delete a subnet

  • Create a site link

  • Add or remove sites to and from a site link

  • Modify the cost associated with a site link

  • Modify the replication period associated with a site link

  • Modify the replication schedule for a site link

  • Delete a site link

  • Create a site link bridge (object)

  • Add or remove sites to and from a site link bridge

  • Create a single bridge for the entire network

  • Turn off the “Bridge all site links” option for IP/SMTP transport

  • Delete a site link bridge (object)

  • Create a connection (only if needed)

  • Delete a connection (only if needed)

  • Take ownership of a KCC-generated connection object

  • Manually set a schedule for connection objects

  • Enable and disable data compression for inter-site replication

  • Change the default setting for the intra-site replication schedule within a site

  • Designate or remove a preferred bridgehead server

  • Replace a failed preferred bridgehead server

  • Force replication between two servers

  • Force a synchronization between two servers

  • Disable automatic topology generation for a site

  • Disable automatic topology cleanup for a site

  • Disable minimum hops topology for a site

  • Disable automatic stale server detection for a site

  • Disable automatic inter-site topology generation for a site

  • Disable inbound replication on a domain controller

  • Disable outbound replication on a domain controller

  • Enable reciprocal replication between sites (only for IP transport links)

  • Enable change notification between sites (only for IP transport links)

  • Force replication topology generation

Replication Monitoring Operators

The following is the set of administrative tasks assigned to this role:

  • Get replication latency information

  • Get pending operations on a domain controller

  • Get replication summary information

  • Check replication status

DNS Administrators Role

The following is the set of administrative tasks assigned to this role:

  • Install the DNS Server service on domain controllers

  • Configure recursive name resolution settings

  • Configure the forest root domain controller to host the DNS zone that corresponds to the forest root DNS name

  • Configure the domain controllers for each regional domain to host the DNS zone that corresponds to the DNS name of the domain

  • Configure the zone containing the forest-wide locator records to replicate to every DNS server in the forest by using the forest-wide DNS application partition