Appendix M: Service Management Delegation Role Definitions
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This appendix presents the set of administrative tasks assigned to every role. The set of recommended roles for delegating service management is as follows:
Forest Configuration Operators
Domain Configuration Operators
Security Policy Administrators
Service Admin Managers
Domain Controller Administrators
Backup Operators
Schema Administrators
Replication Management Administrators
Replication Monitoring Operators
DNS Administrators
Forest Configuration Operators Role
The following is the set of administrative tasks assigned to this role:
Create a child domain in an existing domain tree
Demote the last domain controller in a child domain
Demote the last domain controller in a tree-root domain
Raise forest functional level
Create all types of trusts for all domains
Delete all types of trusts for all domains
Change the direction of a trust
Enable/disable name suffix routing (for a given suffix) in a forest
Reset the trust passwords shared by a trust-pair
Force the removal of a trust
Enable/disable SID History on an outbound forest trust
Enable/disable SID filtering
Enable selective authentication on an outbound forest/external trust
Enable/disable placing of name suffix (top level names) information on a realm trust
Add/remove top-level names from a realm trust
Add/remove top-level name exclusions from a realm trust
Modify the transitivity of a realm-trust
Transfer the schema master role
Transfer the domain naming master role
Seize the schema master role
Seize the domain naming master role
Manage all LDAP query policy related administrative tasks
Domain Configuration Operators Role
The following is the set of administrative tasks assigned to this role:
Create a replica (additional domain controller)
Remove a replica
Designate a domain controller as a global catalog
Undesignate a domain controller as a global catalog
Rename a domain controller
Raise domain functional level
Create a replica (additional domain controller)
Remove a replica
Transfer the RID master role
Transfer the PDC emulator master role
Transfer the infrastructure master role
Seize the RID master role
Seize the PDC emulator master role
Seize the infrastructure master role
Protect and manage the default domain controllers OU
Protect and manage the content stored in the System container
Restore Active Directory from backup
Security Policy Admins Role
The following is the set of administrative tasks assigned to this role:
Manage all aspects of the Domain Controller Security Policy for all domains in the forest
Manage the following aspects of Domain Security Policy for all domains in the forest:
Password Policy
Account Lockout
Kerberos Policy
Service Admin Managers Role
The following is the set of administrative tasks assigned to this role:
Manage and protect all service administrator security groups in the forest
Manage and protect all service administrator accounts in the forest
Domain Controller Administrators Role
The following is the set of administrative tasks assigned to this role:
Install and modify software
Install service packs and hot-fixes
Configure directory service settings in the registry
Maintain and backing up event logs
Configure the Service Control Manager
Manage directory service files and Sysvol
Start and shut down domain controllers
Maintain Active Directory database and log files
Backup Operators Role
The following is the set of administrative tasks assigned to this role:
- Perform scheduled backups of Active Directory system state
Schema Administrators Role
The following is the set of administrative tasks assigned to this role:
Enable schema modification on a domain controller in the enterprise
Change the current schema master
Add a class definition in the schema
Add an attribute definition in the schema
Modify a class definition in the schema
Modify an attribute definition in the schema
Update the schema cache on demand
Deactivate a schema class object or resurrect a deactivated schema class object
Deactivate an attribute class object or resurrect a deactivated schema attribute object
Make an attribute indexed
Add attributes to the ANR set
Designate an attribute as a member of the partial attribute-set that is replicated to the global catalog
Remove an attribute from the partial attribute-set that is replicated to the global catalog
Replication Management Administrators Role
The following is the set of administrative tasks assigned to this role:
Create a site and add a site
Rename a site
Specify the location of a site
Delete a site
Create a subnet and add a subnet
Specify the location of a subnet
Associate a subnet with a site
Delete a subnet
Create a site link
Add or remove sites to and from a site link
Modify the cost associated with a site link
Modify the replication period associated with a site link
Modify the replication schedule for a site link
Delete a site link
Create a site link bridge (object)
Add or remove sites to and from a site link bridge
Create a single bridge for the entire network
Turn off the “Bridge all site links” option for IP/SMTP transport
Delete a site link bridge (object)
Create a connection (only if needed)
Delete a connection (only if needed)
Take ownership of a KCC-generated connection object
Manually set a schedule for connection objects
Enable and disable data compression for inter-site replication
Change the default setting for the intra-site replication schedule within a site
Designate or remove a preferred bridgehead server
Replace a failed preferred bridgehead server
Force replication between two servers
Force a synchronization between two servers
Disable automatic topology generation for a site
Disable automatic topology cleanup for a site
Disable minimum hops topology for a site
Disable automatic stale server detection for a site
Disable automatic inter-site topology generation for a site
Disable inbound replication on a domain controller
Disable outbound replication on a domain controller
Enable reciprocal replication between sites (only for IP transport links)
Enable change notification between sites (only for IP transport links)
Force replication topology generation
Replication Monitoring Operators
The following is the set of administrative tasks assigned to this role:
Get replication latency information
Get pending operations on a domain controller
Get replication summary information
Check replication status
DNS Administrators Role
The following is the set of administrative tasks assigned to this role:
Install the DNS Server service on domain controllers
Configure recursive name resolution settings
Configure the forest root domain controller to host the DNS zone that corresponds to the forest root DNS name
Configure the domain controllers for each regional domain to host the DNS zone that corresponds to the DNS name of the domain
Configure the zone containing the forest-wide locator records to replicate to every DNS server in the forest by using the forest-wide DNS application partition