Sharing the Load - Securely
There has always been delegation built into Active Directory. The delegation that is built into Active Directory is primarily designed to allow domain administrators the ability to give non-domain administrators control over very detailed aspects of Active Directory and the objects stored within. I have written many articles on these capabilities, which can be seen at the following links:
All of the above links should give anyone insight into how the delegations work, what delegations are possible and the internal workings of how the delegations are created. In summary, here are some guidelines for using the Microsoft delegation within Active Directory.
- Delegation is an altering of the permissions on the objects within Active Directory.
- Delegations are granted using the Delegation Wizard in Active Directory Users and Computers.
- Delegations can be granted, but not removed using the Delegation Wizard in Active Directory Users and Computers.
- Most delegations should be done at the organizational unit level, then the permission inheritance will filter down the Active Directory structure.
- Delegations should be granted to groups, not user accounts to ensure consistent security practices.
- The most common delegations are resetting passwords for user accounts, joining computers to the domain, moving computers to an organizational unit, and modifying group membership.
- Delegations can be verified by using DSACLS, which is a built-in command.
The Use of Delegation
I find that most administrators have tried to use the Microsoft delegation model, but find that the implementation of the technology is more complex than they anticipated, so they abandon the task. The reason the implementation is so difficult is due to the fact that the Active Directory Users and Computers tool does not work with delegations that are set. What I mean by this is that Active Directory Users and Computers does not dynamically change the capabilities within the tool based on the user that is logged on. This means that the user will see all of the objects, menus, commands, and capabilities of the Active Directory Users and Computers tool, even though they are not capable of exercising the options. If Active Directory Users and Computers would dynamically display only the commands and menus that are granted via delegation, the tool would be very useful for delegation.
The solution that Microsoft provides for delegation is to create Task Pad Views. I find that there are less than 25% of all admins that have even heard of this technology and of that less than 25% have even attempted to create one. I highly suggest you don’t waste your time, as they are not friendly, highly manual, and a management nightmare to control.
So, in the end, there is the capability to set, not remove, delegations. There is also no real interface to leverage what has been delegated.
When considering what is desired for delegations, I am going to rely on what I know about maintaining a production Active Directory domain, input from my students over the years, and feedback from other admins over the years. When considering delegation, there are a few factors that all admins want and need to ensure that the implementation of the delegation will be successful.
- The delegation should be easy to setup.
- The current delegations should be easy to view.
- Delegations should be easy to remove.
- Delegations should be reportable for security and audit.
- Delegations should be granular, to control individual properties of objects.
- The delegations should be exposed to the delegated user in a simple, easy to understand format.
- Ideally delegation should go beyond just resetting user account passwords, joining computers to the domain, moving computers to organizational units, and modifying group membership.
- Delegations should be dynamic in the tool that the delegated user views, so all of the delegations show up within the tool being used.
- Delegations should be customizable, such that some properties were mandatory and pre-defined, where others were mandatory and configurable by a technician.
Delegation Concepts and Capabilities
Here is a listing of some concepts and capabilities that I have found that most admins and desktop support technicians desire. The goal is to have a “team” of administrators and technicians working together to manage Active Directory, objects, and the object properties.
Resetting User Account Passwords – This is a task that all companies need and have in some way already implemented. However, there are specific aspects of this process that should be considered in a desired solution.
- Self service password reset
- Random password generation, so the technician is not aware of the temporary password
- Secure communication of the temporary or new password to the end user
- More stringent password policy that exceeds that of the built-in password policy by Microsoft
Joining Computers to the Domain – A typical delegation that allows for the technicians that are installing the computers to join the computer to the domain.
Moving Computers to an Organizational Unit – A key delegation that does require advanced knowledge of Active Directory and Group Policy. An errant move of a computer to an organizational unit could expose the computer, data on the computer, or even the network to an attack. This is due to the fact that often security is implemented via Group Policy, which is pushed down based on where the computer resides in Active Directory.
Modification of Group Membership – A delegation that is not used often enough, but should be. In many organizations it is the managers and project managers that define the group membership, but the administrators that implement the configurations. By delegating this task to the managers and project managers, group membership can be maintained by the owner and the load of the management taken off of administrators. Additional concepts that should be considered include:
- Control over which objects can be added to the group (users, groups, computers)
- Control over which users can be added to the group
- Control over which groups can be added to the group
- Control over which objects can be removed from the group
- Control over deletion of the group
Single User Account Creation – This delegation is possible today, but the granular capabilities are not there. Ideally user accounts should be created using a template, which dictates the required properties for each new user.
Bulk User Account Creation – This delegation falls under efficiency and organization. Ideally a list of user names and their properties should have the ability to be imported into Active Directory, along with a template to help ensure correct user property configurations.
Mandatory User Account Properties – There are some default user account properties that are mandatory, but there needs to be additional controls to force user accounts to be created with certain properties being mandated. This will ensure consistent and stable user account creation and use.
Pre-defined User Account Properties – Nearly all Active Directory environments require that some properties be configured to ensure that scripts and applications work. Being able to define some properties automatically for each user is key. Additionally, these configurations should have the ability to be seen or hidden by the user creating the account, for ease of communication or security.
Taking what Microsoft gives you and just working with those restrictions can be very limiting. There are many ways that you can increase productivity, security, and efficiency by using delegation and other concepts, such as templates. Taking a look at these options could make your overall administration much faster and easier, not to mention more secure and stable. For an example of some of these concepts, check out these blogs.