Implementing the Service Management Delegation Model
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Implementing the service administrative delegation model involves the creation of security groups to represent role instances and the granting of sufficient permissions for every security group representing a role instance so as to enable the administrators in each role (represented by membership in corresponding security groups) to carry out their assigned responsibilities. The implementation process is performed by a select few service administrators who are trusted by the service owner to faithfully delegate the administrative roles according to the delegation model. These administrators are usually members of the Enterprise Admins group.
To implement each role, the administrator responsible for implementing the service management delegation model performs the following general tasks:
Define a location to store the security groups that represent all role instances.
Create a new group to represent the role or designate an existing default administrative group (for example, Schema Admins) for each role instance.
Enable each instance of the role by doing the following:
Assign the collective set of permissions (required to perform the set of all administrative tasks assigned to a role) to the security group representing the specific instance of the role.
Assign the collective set of user rights (required to perform the set of all administrative tasks assigned to a role) to the security group representing the specific instance of the role for all operations that the administrators must perform on the system (usually the domain controller).
Delegate the role that you have enabled by adding the user accounts of the assigned administrators to the appropriate group.
Make sure that the groups that you use to implement the role are used only for that role and contain only the assigned administrators as members.
Storing Security Groups for Service Management
Most security groups for service management will be created in, and managed from, the forest root domain. Thus, it is appropriate to create and store the security groups that represent service administration role instances in a specific location so that they can be managed easily.
Create an OU in the forest root domain, directly under the domain object. Name the OU “Service Management” or choose a similar name that adequately conveys the purpose of the OU.
Figure 1 shows a domain hierarchy with the Service Management OU.
.gif "33cc6ee5-3d05-4f2d-b9b1-27ce84f07792")
Creating or Assigning Security Groups
Table 5 shows a recommended list of names to use for the security groups that represent various instances of service management roles.
Table 5 Recommended Names for Service Management Role Instances
| Service Management Role | Recommended Names |
|---|---|
Forest Configuration Operators |
Forest Name Forest Config Ops |
Domain Configuration Operators |
Domain Name Domain Config Ops |
Security Policy Administrators |
Forest Name Security Policy Admins |
Service Admin Managers |
Forest Name Service Admin Managers |
Domain Controller Administrators |
Domain Name location DC Admins location could refer to:
|
Backup Operators |
Use the pre-defined Backup Operators group for this role |
Schema Administrators |
Use the pre-defined Schema Admins group for this role |
Replication Management Administrators |
Forest Name Repl Mgmt Admins |
Replication Monitoring Operators |
Forest Name Repl Monitoring Ops |
DNS Administrators |
Forest Name DNS Admins |
Enabling Service Management Administrative Roles Instances
Appendix L: Implementing Service Management Delegation Roles in Best Practices for Delegating Active Directory Administration: Appendices, which accompanies this document, provides the guidelines for implementing each service management role and provides the set of permissions that should be granted to implement each role. Implementing each role instance by granting the set of permissions provided for each role enables each role instance.
Protecting Service Management Administrative Role Instances
After you have implemented your service management administrative role instances, it is recommended that you adequately protect all security groups representing the various administrative role instances and their members.
One way of doing this is to make every security group representing a role instance a member of one of the default service administrator groups protected by the AdminSDHolder object. Certain administrative roles instances can be represented by existing service administrator groups in Active Directory – these security groups do not need to be members of another service administrator group. This will ensure that only the Service Admin Managers and Enterprise Administrators can modify the memberships of all service admin accounts and of all administrative roles.
It is recommended that you make all these groups members of the Print Operators group in the specific domain to which the security groups representing the roles belong, and take away the Load and unload device drivers privilege from Print Operators (by modifying the default Domain Controller security policy in each domain). This will ensure that all security groups representing administrative roles are protected. Note that there is nothing special about the Print Operators group. The use of this group to protect service admin role instances is only being recommended because it is one of the less used service administrative groups.
Delegating Role Instances
To delegate role instances, modify the group memberships of the respective security groups representing each role by adding the user accounts of all administrators that were assigned to each role during the model creation phase.
Do not forget to update your documentation for each role, noting specifics such as the collective set of permissions assigned and the specific security group used to implement each service administration role instance.