Implementing the Service Admin Managers Role
Updated: December 5, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Use the following procedure to implement the service admin managers role.
To implement the one required instance of the Service Admin Managers role
Create a Universal Group called <Forest-Name> Service Admin Managers in the forest root domain in the Service Management OU (ou=Service Management, dc=<Forest Root Domain>)
Note If Universal groups are not available, create a Global security group.
In each domain, modify the DACL on the ADMINSDHOLDER object in each domain (CN=AdminSDHolder, CN=System, DC=<domain> as follows:
Grant the <Forest-Name> Service Admin Managers group Full-Control permissions on the object.
Grant the Enterprise Admins group Full-Control permissions on the object.
Optionally, to ensure that members of no other security groups can modify the membership of or delete service administrator groups, modify the DACL of the object by remove all permissions granted to Domain Admins, Built-In Admins and Enterprise Admins.
Note Note that even if you remove all permissions granted to Built-In Admins, any administrator who has the Take Ownership of files or other objects user right granted in the Domain Controller Security Policy can still take ownership of a service administrator security group object or member user object. By default the Built-In Admins are granted this user right and by default Domain Admins and Enterprise Admins are members of the Built-In Admins group. Thus, removing permissions granted to Domain Admins, Built-In Admins and Enterprise Admins in the ADMINSDHOLDER object DACL will not allow a member of these groups to directly modify the membership of these groups or modify a member user, it will not prevent them from taking ownership of the 0bject representing a service administrator security group or member user and then modifying the object. If must ensure that the Service Admin Managers group is the only group that can truly manage all service administrator groups and members, consider taking away this privilege from the above set of administrative groups.
- Grant the <Forest-Name> Service Admin Managers group Full-Control permissions on the object.