If you are like most companies, you have moved from your old Windows NT domains into Active Directory. When you made the switch, you made most of the Windows NT domains Active Directory Organizational Units (OUs). From there, the NT domain admins were delegated full control over their appropriate new OU. Did you know that you might be giving away too much control to these admins?
Establishing the Base Delegation
With a migration from Windows NT domains to Active Directory OUs, it only makes sense to allow the former NT domain admins to control their own OU. This is easily accomplished by creating OUs within Active Directory that matched the old NT domain infrastructure. This might mean that you have OUs named after physical cities or locations, departments, or some other form of logical delineation.
To establish this delegation allowing the NT domain admins control over their new OU is to use Delegation of Administration. This Delegation of Administration is established by using the Delegation Wizard. For example, say you have the following AD structure shown in Figure 1.
Figure 1: Active Directory OU structure example
You have a group for each of these departments. So, you have the HRIT staff group that is responsible for the HR Department OU. To delegate to the HRIT group, you will use the Delegation of Control Wizard. Right click on the HR Department OU and select the Delegate Control menu option, as shown in Figure 2.
Figure 2: Delegate Control menu option will allow configuration for delegation of administration
This will open the Delegation of Control Wizard, which will allow you to configure Full Control to the HRIT group. This is a bit tricky, as you don’t have Full Control as an option when you come to the initial delegation list. You will need to configure a custom task of delegation, as shown in Figure 3.
Figure 3: Full Control of an OU requires custom delegation options
Since you want the delegation to be over all objects in the OU, you will then select the option for all files, folders, etc within the OU. The next screen will then ask you what level of delegation. You of course want Full Control, as shown in Figure 4.
Figure 4: Full Control delegation will grant the user all access to all objects in the OU
From a user within the HRIT group standpoint, they will see the following options when they right click on the HR Department OU, as seen in Figure 5.
Figure 5: Delegation over an OU grants all functionality to the objects in the OU
What Else Does Full Control Delegation Provide
After the delegation is established over an OU and therefore the contents of that OU, the OU administrator only needs to have access to the Active Directory Users and Computers snap-in to perform the administration of the included objects. Figure 5 illustrates what that would look like.
The problem is that the administrator does not only have control over the objects in the OU, the administrator has control over tangential objects and features related to the OU. These additional controls include those related to Group Policy. This would include the following:
- Linking a GPO to the OU
- Establishing Block Inheritance at the OU
The first of these, Linking a GPO to the OU, is typically a desired task of an OU administrator. This would mean that the administrator could dictate which GPOs would affect both the user and computer accounts in their OU. This might include security, desktop management, software deployment, etc. controls.
The second task is typically not desired by an OU administrator. Blocking Inheritance, as seen in Figure 6, will block higher level GPOs from applying to objects in the OU.
Figure 6: Block Inheritance is set at Active Directory nodes
With too much delegated power, the administrator could block all of the GPOs that were configured at a site, the domain, and all higher level OUs. This could leave the user or computer in the OU with weakened security, too much control of their desktop, and/or missing software installs. With no mechanism for the administrator higher in the Active Directory structure to know that this Block Inheritance was set.
Removing the Block Inheritance Delegated Privilege
Once Full Control is granted to an OU, it is not all that easy to “remove” certain capabilities. The reason for this is that there are over 1000, possibly 1500, individual permissions that can be set on the OU. For you to find the magic set of permissions that will remove a specific task is not easy to do. The Delegation of Control Wizard is not robust enough to include all tasks, so some tasks must be customized.
In the instance of the Block Inheritance task, a complex array of permissions must be manually removed so the OU administrator can perform all desired tasks within the OU, sans the Block Inheritance for the OU. In order to successfully deny the Block Inheritance capability, you must configure the following granular permissions for the user/group on the OU.
On the “HR” OU, right-click and select the Properties menu option. Then select the Security tab, then the Advanced button on that tab. From there, you will need to edit the security to ensure the permissions are set as shown in Table 1.
Security Tab | Apply to: | Allow/Deny | Specific Permission |
Properties | Organizational Unit objects | Deny | Write gPLink |
Properties | Organizational Unit objects | Deny | Write gPOptions |
Properties | This Object Only | Deny | Write gPLink |
Properties | This Object Only | Deny | Write gPOptions |
Objects | Organizational Unit objects | Deny | Modify Permissions |
Objects | Organizational Unit objects | Deny | Modify Owner |
Objects | This Object Only | Deny | Modify Permissions |
Objects | This Object Only | Deny | Modify Owner |
Objects | This Object and all child objects | Allow | Full Control |
Summary
Delegation of Administration is a very important aspect of Active Directory. It provides an excellent method for narrowing down what tasks administrators can perform in the Active Directory structure. However, if too much delegation is provided, too many tasks can be performed. There are some cases where these tasks are outside of the Active Directory interface, such as with Block Inheritance. With some due diligence, the delegation can be narrowed, but it will require some work to determine which permissions need to be restricted. Here, you can deny Block Inheritance, while maintaining the other Active Directory tasks for OU administrators.
