Built-in Groups vs. Delegation
In many environments the network or domain administrator will use the default, built-in groups, to provide the ability to perform these tasks. These built-in groups include groups like Backup Operators, Server Operators, and Group Policy Creator Owners. Although these groups provide the privileges to get the tasks done, they might provide too much access. As an alternative to using these groups, there is a new way of providing the privileges required to complete these tasks. This method uses a feature of Active Directory that bypasses the need to use the built-in groups. The method is called Delegation of Administration, or just Delegation. This article will compare and contrast the two methods. There are distinct advantages in using one method over the other, depending on what the desired result is.
There are plenty of built-in groups to choose from, so I want to make sure that I categorize the groups to see if we are on the same page. There are some groups which are used for administration of Active Directory, services, and other important directory service features. These groups are located in the Users container, as shown in Figure 1. These groups include:
- Cert Publishers
- Domain Admins
- DHCP Admins
- Enterprise Admins
- Group Policy Creator Owners
- Schema Admins
These groups are essential for Active Directory and should be used to provide administrative control over these areas. It is not really possible to use Delegation to replace the functions that these groups provide. Therefore, we are not going to focus on these groups in this article.
Figure 1: Users container within Active Directory
Another category of built-in groups fall under a different place in the Active Directory. They are located in the Builtin container, as shown in Figure 2.
Figure 2: Builtin container within Active Directory
These groups include:
- Account Operators
- Backup Operators
- Server Operators
- Print Operators
For this article, we are focusing on these built-in groups. These are the groups that are inherited from Windows NT domains and can still be used to provide privileges to administrators.
Scope and Common Uses of the Built-in Groups
The built-in groups have a very distinct scope. They are designed to be used on the domain controllers and the domain controllers only. We know this because all of these groups are Domain Local (Local in Windows NT). This means that they are to be used to provide privileges to administrators that need to perform tasks on the domain controllers.
Another way to confirm this is that each local Security Accounts Manager (SAM) on the clients and servers have their own local built-in groups to perform these duties. The Administrators and Backup Operators groups are in every SAM. The other groups are not needed on the local SAM, because the Administrators group or Power Users group provides the privilege to accomplish the associated tasks on a client or server.
It is important to not only know the scope of these built-in groups, but also the capabilities of these groups. Table 1 lists what each group can do.
Create, delete, and manage user and group accounts
Read all user information
Reset password for user accounts
Create, delete, and manage printers
Backup files and directories
Restore files and directories
Log on locally
Shut down the system
As you scan through the capabilities that the members of the built-in groups have, keep in mind that these capabilities have the scope of all domain controllers in the domain, as well as all objects within the domain. Therefore, if you add a user to one of these groups, you can't scale down their scope of influence.
For example, it is common to want to have a junior administrator or the helpdesk staff to reset passwords for users in the domain. With the built-in groups, you would simply add them to the Account Operators group to accomplish this. However, take a look at the other privileges that this membership provides them. They can also perform all of the following tasks:
- Create, delete, and manage user accounts
- Create, delete, and manage group accounts
- Log on locally
- Shut down the system
As you can see, these additional privileges vastly expand the scope of influence compared to the original desire to just have the administrators reset passwords.
Another key point about our example is to consider which user accounts they would be able to reset the password for. If you give a user membership in the Account Operators group, they will be able to reset the password for the following users:
- Administrator account
- All IT staff
- HR personnel
As a best practice, you want to use these groups in a limited fashion within an Active Directory domain. In Windows NT domains you did not have much choice over these groups, since there was no method to scale down the users privileges by creating additional groups within the domain. These groups should only be used when an administrator should have access to all of the domain controllers or all objects within Active Directory. In these cases, the use of these groups is easy and efficient.
Delegation of Administration
Delegation is one of the primary reasons that companies and administrators want to move to Active Directory. The old methods of providing privileges to administrators are too clumsy and provides too large of a scope of influence. Delegation solves all of these problems by allowing granular assignment of privileges within Active Directory. There are really two different concepts that are associated with the "granularity" that delegation provides.
- Delegation provides the ability to narrow down the privilege to specific tasks and responsibilities. If the privilege is associated with an object or account, the granularity can be down to the property level of the object or account.
- Delegation allows for scoping of the privilege within Active Directory. This means that an administrator can be given control over some of the objects and accounts in Active Directory, but not all of them.
When we take the cover off of delegation within Active Directory, we see that it is not all that complex. Delegation is accomplished by assigning permissions on the Access Control List (ACL) of objects and accounts within Active Directory. Every object and account has an ACL, so this task is relatively easy to accomplish.
Microsoft helps you complete the delegation by providing you with a Delegation of Control Wizard, as seen in Figure 3.
Figure 3: Delegation of Control Wizard within Active Directory
This wizard takes you through the following steps, allowing you to easily establish the privileges and control that you desire for administrators over objects and accounts within Active Directory.
- You select the location within Active Directory where you want to delegate privileges (this is typically done at the Organizational Unit (OU) level)
- You select which groups you want to give the delegated privileges to.
- You select from a list of "Common tasks" (shown in Figure 4), or from a list of "Custom tasks." The custom tasks are nothing more than a lengthy list of all permissions that can be assigned to the different objects within Active Directory.
Figure 4: Delegation wizard provides a list of common tasks that you can assign quickly
Common Uses for Delegation of Administration
Delegation is used throughout Active Directory and is a very powerful and efficient way to provide targeted privileges. Remember, delegation not only targets a specific task, but it also targets a specific set of objects or accounts within Active Directory.
The most common use of delegation is to provide administration over user and group accounts within Active Directory. The delegation is best used when the Active Directory design (particularly the design and organization of OUs) takes into consideration where delegation will be configured. Here are some common tasks that are delegated:
- Resetting passwords for a specific set of user accounts
- Creation of user accounts within a specific OU
- Privilege to read user information for a set of user accounts
- Creating group accounts within a specific OU
- Managing group membership for a specific set of group accounts
Beyond the typical user and group management, you will find that the following tasks can be delegated as well:
- Adding workstation to a specific OU
- Linking GPOs to specific OUs
- Management of printers within a specific OU
- Management of shared folders within a specific OU
The built-in groups that exist within Active Directory are easy to use and manage. However, these groups provide privileges and scope that go beyond what most administrators need to perform their job task. An alternative to using these groups is to use Delegation of Administration, which allows the privileges and scope to be very granular. This granularity makes the Delegation solution secure and efficient. In most cases, you will want to use Delegation over the built-in groups.