Implementing the Service Admin Managers Role

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Use the following procedure to implement the service admin managers role.

To implement the one required instance of the Service Admin Managers role

  1. Create a Universal Group called <Forest-Name> Service Admin Managers in the forest root domain in the Service Management OU (ou=Service Management, dc=<Forest Root Domain>)

    Note

    If Universal groups are not available, create a Global security group.

  2. In each domain, modify the DACL on the ADMINSDHOLDER object in each domain (CN=AdminSDHolder, CN=System, DC=<domain> as follows:

    1. Grant the <Forest-Name> Service Admin Managers group Full-Control permissions on the object.

    2. Grant the Enterprise Admins group Full-Control permissions on the object.

    3. Optionally, to ensure that members of no other security groups can modify the membership of or delete service administrator groups, modify the DACL of the object by remove all permissions granted to Domain Admins, Built-In Admins and Enterprise Admins.

      Note

      Note that even if you remove all permissions granted to Built-In Admins, any administrator who has the Take Ownership of files or other objects user right granted in the Domain Controller Security Policy can still take ownership of a service administrator security group object or member user object. By default the Built-In Admins are granted this user right and by default Domain Admins and Enterprise Admins are members of the Built-In Admins group. Thus, removing permissions granted to Domain Admins, Built-In Admins and Enterprise Admins in the ADMINSDHOLDER object DACL will not allow a member of these groups to directly modify the membership of these groups or modify a member user, it will not prevent them from taking ownership of the 0bject representing a service administrator security group or member user and then modifying the object. If must ensure that the Service Admin Managers group is the only group that can truly manage all service administrator groups and members, consider taking away this privilege from the above set of administrative groups.