Creating a Successful Active Directory Delegation Model

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Managing a dynamic Active Directory environment typically involves many different administrative tasks that differ in scope, impact, and sensitivity. Administrative responsibility must be distributed and delegated among service and data administrators, taking into account the specific administrative needs of an organization. For example, an organization might have a specific need to delegate administrative responsibility for all account and resource management tasks to decentralized administrative groups while retaining centralized control of account support and operations by delegating responsibility for providing account support to centrally-based administrative groups.

Active Directory service and data owners are responsible for ensuring that the administrative needs of all stakeholders are addressed and might need to authorize administrative access or delegate the ability to carry out specific administrative tasks to these stakeholders, allowing the stakeholders to accomplish their assigned responsibilities based on their business role in the organization.

A structured and methodical approach towards managing an Active Directory environment can greatly enhance the security of the environment, reduce administrative costs involved in managing the environment, and successfully address the administrative needs of all stakeholders, thereby making Active Directory management more tractable seamless, efficient and secure.

A structured and methodical approach to managing an Active Directory environment generally involves the following recommended approach towards planning, creating, and implementing a successful administrative delegation model:

  1. Understand all aspects of Active Directory management.

  2. Understand the administrative needs of all stakeholders.

  3. Create a delegation model that ensures that administrative coverage is provided for all aspects of Active Directory management and that addresses the administrative needs of all stakeholders.

  4. Implement the delegation model in a secure and efficient fashion, ensuring that the administrative needs of all delegated administrators and all stakeholders are addressed while also ensuring that all administrative access has been granted on the basis of least privilege.

  5. Maintain the implemented delegation model, which involves making modifications to the implemented delegation model in response to changes in administrative requirements or needs.

A particularly effective method for managing an Active Directory environment is to apply the concept of roles-based administration to creating, implementing and maintaining a secure, tractable and efficient administrative delegation model. The following sections introduce the concept of roles-based administration and provide guidance on how this concept can be applied to increase security and efficiency when managing Active Directory environments.

A Roles-Based Approach to Active Directory Management

A particularly effective method for creating an efficient administrative delegation model is to use administrative roles. IT infrastructures span geographical, political, and administrative spectrums. A model that allows IT departments to delegate administrative responsibilities on the basis of business functions and administrative scopes lets organizations focus on business processes as opposed to technology processes. Defining these functions and scopes in terms of administrative roles enables business-driven administrative control while affording the ability to securely scale administration.

Administrative Roles

A role is a collection of related administrative tasks that can be assigned to a specific set of administrators in a specific scope of influence or authority. For example, account support tasks are similar in nature and are usually assigned to a specific set of administrators for a specific collection of user accounts. By defining a role called Help Desk or Account Support Operators, you can associate with that role a set of administrative tasks typically performed by personnel in that business function. You can then create various instances of this role, each represented by a unique security group, to provide account support in different parts of the organization. For example, consider an organization that is spread across four physical locations and has a decentralized account management and support model. Having defined a role for account support, this organization can simply create four instances of this role, one per physical location, and seamlessly and easily provide account support.

A role definition consists of the following:

  • A collection of one or more administrative tasks.

  • The collective set of permissions required to perform this set of tasks.

  • An instance of a role definition applies to a specific scope of administrative authority. A role instance consists of the following:

  • A collection of one or more administrative tasks.

  • The collective set of permissions required to perform this set of tasks.

  • A specific scope of administrative authority.

To use administrative roles in your delegation model, you do not need to undertake an extensive process of defining roles. Microsoft has engineered role definitions for Active Directory management and recommends the use of these roles for delegating administrative responsibilities for managing Active Directory. For more information about these service and data management role definitions and associated tasks, see Chapter 3: Delegating Service Management and Chapter 4: Delegating Data Management.

Administrative Tasks

Management of a dynamic Active Directory environment involves a wide variety of tasks that differ in nature, scope, impact, and sensitivity. For a comprehensive list of administrative tasks involved in Active Directory service and data management, see “Appendix A: Active Directory Administration Tasks” in “Best Practices for Delegating Active Directory Administration: Appendices,” which accompanies this document. This list is organized into service and data management categories. These categories are further subdivided on the basis of logical similarities between tasks. For an overview of these categories, see Chapter 3: Delegating Service Management and Chapter 4: Delegating Data Management. Each task in every category maps to an administrative role. In this way, all administrative tasks are covered by the set of Microsoft-recommended administrative roles. The sum of all categories and their related tasks provides full service and data administrative coverage for an Active Directory environment. Thus, the entire realm of Active Directory service and data management tasks can be assigned according to pre-defined management roles. You can also customize the existing roles and define new ones tailored to your organization.

A roles-based approach to Active Directory administration offers multiple benefits. It makes management more tractable and provides the ability to implement uniform administrative coverage that addresses similar administrative needs across the organization. It also provides the ability to easily and reliably delegate responsibility to, and subsequently revoke delegated responsibility from, a set of administrators. This approach eliminates the need to specify multiple sets of permissions across a large set of objects.

The following sections provide guidance on how a roles-based approach can be used to create, implement, and maintain a security-conscious and efficient Active Directory delegation model for managing an Active Directory environment.

Understanding Active Directory Management

A good understanding of both service management and data management is essential to creating an administrative delegation model that efficiently distributes administrative responsibility in accordance with your organization’s security policies.

Service owners and service administrators are highly encouraged to gain a thorough understanding of all aspects of service management and should gain at least a good understanding of data management.

Data owners are highly encouraged to gain a complete and thorough understanding of all aspects of data management. Data administrators are encouraged to gain a good understanding of all aspects of data management relevant to their administrative role and required to carry out their assigned administrative responsibilities.

For an end-to-end perspective of all aspects of data and service management, see Chapter 3: Delegating Service Management and Chapter 4: Delegating Data Management.

Understanding the administrative needs of stakeholders

It is important to identify all stakeholders that have a legitimate business need to access and/or modify data stored in or protected by Active Directory. These stakeholders generally include owners and administrators of other parts of the IT infrastructure, who own, manage or are responsible for aspects of the IT infrastructure that are related to or dependent on the organization’s Active Directory environment. Administrators of an Active Directory–enabled or Active Directory–integrated application or Corporate Security personnel are two examples of such stakeholders.

Understanding and documenting the access requirements of these stakeholders will help in determining the minimal set of permissions required to authorize access to or delegate administrative authority to these stakeholders, which will allow you to delegate administrative responsibility based on the principle of least privilege.

Creating a Delegation Model

The service and data owners are collectively responsible for the creation of an administrative model that efficiently distributes responsibilities among various administrative groups, within their organization’s specific structural, operational, legal, and administrative constraints. After having gained a clear understanding of the full range of administrative tasks and responsibilities involved in managing Active Directory, they should create a delegation model taking into account specific administrative needs related to service and data management.

An Active Directory environment typically has one service owner, and one or more data owners for every participating entity. Because service owners are ultimately responsible for ensuring the secure and reliable delivery of the directory service, they are responsible for creating an administrative delegation model that distributes and delegates all service administrative responsibilities among service administrators.

Similarly, because data owners are ultimately responsible for managing entity content that is stored in or protected by Active Directory, they are responsible for creating an administrative delegation model that distributes and delegates all data administrative responsibilities that are required to manage content for their entity.

In some cases, participating entities might choose to delegate certain aspects of data management to a centralized group of administrators or to a group of administrators that has collective representation from all entities. In such cases, data owners from all participating entities must collaborate in creating the overall administrative delegation model for data management.

Guidelines for Creating the Delegation Model

The process of creating a delegation model essentially involves understanding the various aspects of Active Directory that need to be managed, identifying specific administrative needs of all participating business units and stakeholders, and then mapping these needs to a set of administrative roles that together provide administrative coverage for all aspects of your Active Directory environment.

Your organization might choose to define its own custom roles for Active Directory management, which could be based in part on Microsoft recommended roles, or your organization might choose to create a delegation model based purely on Microsoft recommended roles. The creation of the delegation model involves determining how many instances of each role the organization will require (based on the guidance provided in the role description) to provide administrative coverage for all aspects of your Active Directory environment, taking into account specific administrative needs.

A good delegation model has the following attributes:

  • Provides coverage for all aspects of Active Directory management.

  • Meets unique autonomy and isolation requirements.

  • Efficiently distributes administrative responsibilities.

  • Delegates administrative responsibilities in a security-conscious manner.

Implementing the Delegation Model

Implementation of the delegation model created by owners is entrusted to a small subset of the most highly trusted and skilled administrators. These administrators are also usually responsible for maintaining the model subsequent to its implementation. Typically, these administrators also assist the owners in creating the administrative delegation model. These administrators are responsible for rolling out the delegation model to enable all role instances for service and data management, as defined in the delegation model for service and data management.

The service management delegation model should be implemented by Enterprise Administrators. Once the service management delegation model is in place, the use of administrative accounts that are highly-privileged by default will be minimized, resulting in a much lower possibility of inadvertent damage by administrators who are logged on with higher credentials than are required for the task they are performing. In addition, having fewer service administrators will substantially lower the chance of inadvertent or malicious damage to the directory service.

After the service management delegation model is in place, service administrators should hand off data-management to a small, highly trusted subset of data-administrators. The data owners for each participating entity in the organization designate a small subset of their most highly trusted data administrators to represent the data owners. These data administrators should in turn be responsible for implementing the data management delegation model which will involve delegating administrative responsibility for data management to lesser privileged data administrators based on administrative roles.

As part of implementing the delegation model, this small subset of data administrators is also responsible for designing an OU structure that will enable them to delegate administrative responsibility, taking into account administrative requirements and Group Policy application requirements. These data administrators design and propose an OU structure to the data owners. After obtaining approval, the data administrators implement the OU structure and implement the various data management role instances as required. This small, highly trusted subset of data administrators who implement the data management delegation model will also responsible for maintaining the implemented delegation model.

Depending on the administrative needs of your organization, delegated administrators might be given the authority to sub-delegate specific aspects of data management within their scope of administrative authority.

Implementing a delegation model requires an understanding of how delegation of administration actually works in active Directory. For more information about the details of Active Directory delegation of administration, see “Chapter Two: How Delegation Works in Active Directory” later in this document.

A well-implemented delegation model ensures that:

  • Only delegated administrators can perform the assigned tasks.

  • Delegated administrators can perform only the tasks that are assigned and explicitly delegated to them.

Guidelines for Implementing the Delegation Model

The following recommendations can be used to guide the creation of a good implementation:

  • Represent every instance of every administrative role with a unique security group.

  • Use security groups that represent roles for the sole purpose of delegating the roles. Do not use these security groups for other purposes. For example, do not use the security group to authorize access to other resources in the domain that are not associated with the ability to perform the administrative role.

  • When delegating data management, as far as possible, delegate permissions only on OUs, which are provided specifically to facilitate delegation of administration. Delegating permissions on OUs enables them to be easily and reliably revoked.

  • Unless absolutely required, do not specify permissions on individual objects within an OU.

  • To delegate a role, grant permissions sufficient only to perform the set of administrative tasks assigned to the role.

For more information about how to implement a delegation model for service and data administration, see Chapter 3: Delegating Service Management and Chapter 4: Delegating Data Management.

Maintaining the Delegation Model

Once the service and data management delegation models have been implemented, all delegated administrators and stakeholders should be able to carry out all assigned administrative tasks.

A well-planned and well-implemented delegation model will minimize the need for much maintenance. However, over time, changes in administrative needs and workforce changes might necessitate appropriate changes to the administrative delegation model. Maintenance of the delegation model involves taking these developments into account and making appropriate changes.

For each management category, service or data administrators might need to:

  • Modify and/or re-delegate existing roles. For example, you might need to add a new task to a role definition or to a specific instance of the role.

  • Create and delegate customized roles. You might need to create and delegate new roles that complement or supplement existing roles but that were not included in the original delegation model.

  • Remove delegation of existing roles. For example, you might need to remove a user from an administrative role, which involves simply removing the user from the administrative group. Alternatively, you might need to revoke a specific capability of the role, or the entire role, which involves removing all of the permissions that are delegated for either that capability (task) or for the entire role.

Note

You can use a script or the command-line tool Dsrevoke.exe to remove all permissions for a group or user in the DACLs of all OU objects in a specified scope. For more information about using Dsrevoke.exe, see Appendix G: Active Directory Delegation Tools in Best Practices for Delegating Active Directory Administration: Appendices, which accompanies this document.

For more information about maintaining service and data delegation models, see Chapter 3: Delegating Service Management and Chapter 4: Delegating Data Management.