Delegating Resource Group Maintenance

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In the AG/RG model, related resources are collected into resource groups, although the resources themselves are not members of the resource groups. Instead, the ACLs of the individual resources are edited to grant the resource group appropriate access, and then account groups are added as members of the resource group, which gives the members of the account group access to the resources.

If you have adopted this model for your organization, you need to decide who sets the ACLs on the resources, and who controls the membership of the resource groups. In some cases, the departmental administrators (who maintain departmental account groups) have control over both the resources and resource groups in their departments.

In large organizations, however, the departmental admin group can become overwhelmed with requests for resource access or with other resource management duties. One solution to this problem is to enable resource owners to control access to their resources. The resource owner has full knowledge of the resource and is motivated both to make the resource available to legitimate users and to protect it from unauthorized access. Resource owners have control over access to their resources by default in Windows ServerĀ 2003.

For resource owners to have full control over access to their resources, they also must control the membership of the resource group. In this way, they control which account groups can become members of their resource groups.

In some cases, you must delegate resource group maintenance to resource owners. To do so, you must establish that the resource owner is responsible for editing the ACLs of the resource in order to grant appropriate access to specific resource groups. By default, the owner of a file or directory, a Server Operator, a Domain Admin, or an Enterprise Admin has permission to edit the ACLs of a resource. You must also grant resource owners control over the membership of the resource groups (but not the right to create or delete the resource groups) that must access their resource.

For more information about editing ACLs, see "Access Control" in Help and Support Center for Windows ServerĀ 2003.