Chapter 5: Establishing Secure Administrative Practices
Updated: December 2, 2007
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2
Any user who has administrative access to domain controllers can cause breaches in security. Individuals seeking to damage the system might be unauthorized users who have obtained administrative passwords, or they might be legitimate administrators who are coerced or disgruntled. Furthermore, not all problems are caused with malicious intent. An inexperienced user who is granted administrative access might inadvertently cause problems by failing to understand the ramifications of configuration changes.
You can minimize these problems by carefully controlling the scope of influence that you give to administrative accounts. For the day-to-day management of your environment, avoid using all-powerful administrative accounts that have complete access to every domain controller and full access to the directory. Instead, configure administrative accounts so that their scope of influence is limited to the specific containers in Active Directory that they need to do their jobs. In the event that one of these accounts is misused, the amount of damage that can be done is limited.
For Active Directory in Windows Server 2003, there are two types of administrative responsibility: service administration and data administration:
Service administrators are responsible for maintaining and delivering the directory service, including domain controller management and directory service configuration.
Data administrators are responsible for maintaining the data that is stored in the directory service and on domain member servers.
Some information that is needed to manage or configure the Active Directory service is controlled by objects that are stored in the directory itself. Although this information is stored in the directory, it is used and managed by service administrators. For this reason, service administrators can act as data administrators. Due to their limited access, data administrators cannot act as service administrators.