Export (0) Print
Expand All

Implementing the Service Management Delegation Model

Updated: December 5, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Implementing the service administrative delegation model involves the creation of security groups to represent role instances and the granting of sufficient permissions for every security group representing a role instance so as to enable the administrators in each role (represented by membership in corresponding security groups) to carry out their assigned responsibilities. The implementation process is performed by a select few service administrators who are trusted by the service owner to faithfully delegate the administrative roles according to the delegation model. These administrators are usually members of the Enterprise Admins group.

To implement each role, the administrator responsible for implementing the service management delegation model performs the following general tasks:

  1. Define a location to store the security groups that represent all role instances.

  2. Create a new group to represent the role or designate an existing default administrative group (for example, Schema Admins) for each role instance.

  3. Enable each instance of the role by doing the following:

    Assign the collective set of permissions (required to perform the set of all administrative tasks assigned to a role) to the security group representing the specific instance of the role.

    Assign the collective set of user rights (required to perform the set of all administrative tasks assigned to a role) to the security group representing the specific instance of the role for all operations that the administrators must perform on the system (usually the domain controller).

  4. Delegate the role that you have enabled by adding the user accounts of the assigned administrators to the appropriate group.

Make sure that the groups that you use to implement the role are used only for that role and contain only the assigned administrators as members.

Storing Security Groups for Service Management

Most security groups for service management will be created in, and managed from, the forest root domain. Thus, it is appropriate to create and store the security groups that represent service administration role instances in a specific location so that they can be managed easily.

Create an OU in the forest root domain, directly under the domain object. Name the OU “Service Management” or choose a similar name that adequately conveys the purpose of the OU.

Figure 1 shows a domain hierarchy with the Service Management OU.


Creating or Assigning Security Groups

Table 5 shows a recommended list of names to use for the security groups that represent various instances of service management roles.

Table 5 Recommended Names for Service Management Role Instances

Service Management Role Recommended Names

Forest Configuration Operators

Forest Name Forest Config Ops

Domain Configuration Operators

Domain Name Domain Config Ops

Security Policy Administrators

Forest Name Security Policy Admins

Service Admin Managers

Forest Name Service Admin Managers

Domain Controller Administrators

Domain Name location DC Admins

location could refer to:

  1. A set of domain controllers physically located in a centrally or remotely located datacenter

  2. A set of all domain controllers physically located in remote locations but centrally managed via remote management solutions

  3. Every domain controller that is locally managed at a branch office, assuming that a remote management solution is not being used.

Backup Operators

Use the pre-defined Backup Operators group for this role

Schema Administrators

Use the pre-defined Schema Admins group for this role

Replication Management Administrators

Forest Name Repl Mgmt Admins

Replication Monitoring Operators

Forest Name Repl Monitoring Ops

DNS Administrators

Forest Name DNS Admins

Enabling Service Management Administrative Roles Instances

Appendix L: Implementing Service Management Delegation Roles in Best Practices for Delegating Active Directory Administration: Appendices, which accompanies this document, provides the guidelines for implementing each service management role and provides the set of permissions that should be granted to implement each role. Implementing each role instance by granting the set of permissions provided for each role enables each role instance.

Protecting Service Management Administrative Role Instances

After you have implemented your service management administrative role instances, it is recommended that you adequately protect all security groups representing the various administrative role instances and their members.

One way of doing this is to make every security group representing a role instance a member of one of the default service administrator groups protected by the AdminSDHolder object. Certain administrative roles instances can be represented by existing service administrator groups in Active Directory – these security groups do not need to be members of another service administrator group. This will ensure that only the Service Admin Managers and Enterprise Administrators can modify the memberships of all service admin accounts and of all administrative roles.

It is recommended that you make all these groups members of the Print Operators group in the specific domain to which the security groups representing the roles belong, and take away the Load and unload device drivers privilege from Print Operators (by modifying the default Domain Controller security policy in each domain). This will ensure that all security groups representing administrative roles are protected. Note that there is nothing special about the Print Operators group. The use of this group to protect service admin role instances is only being recommended because it is one of the less used service administrative groups.

Delegating Role Instances

To delegate role instances, modify the group memberships of the respective security groups representing each role by adding the user accounts of all administrators that were assigned to each role during the model creation phase.

Do not forget to update your documentation for each role, noting specifics such as the collective set of permissions assigned and the specific security group used to implement each service administration role instance.

Community Additions

© 2016 Microsoft