As an organization grows, so does its IT staff. What once was a small group of trusted individuals is now an organization itself and along with that comes added risks from change control failures as well as unscrupulous or disgruntled employees. To manage this increased risk it is important to limit how many employees have membership in the all powerful Administrators, Enterprise Admins and Domain Admins groups. Limiting administrator authority is an important application of the least privilege concept. At the same time though, IT folks need the authority to do their jobs. Fortunately, Active Directory provides the much-needed ability to delegate routine management and support tasks throughout the enterprise. To successfully leverage the delegation features of Active Directory (AD), you first define organizational units (OUs), then identify the tasks you want to delegate and add staff members who are responsible for distributed management and maintenance. After this infrastructure is in place, you can run the AD Delegation of Control Wizard to quickly delegate the permissions and rights each group needs to carry out its assigned management activities.
The Power of OUs
An OU is a collection of AD objects, such as users, groups, computers, printers, and file shares, that you want to manage as one entity. All the objects in an OU must belong to the same domain. An OU is the smallest unit to which you can delegate administrative and maintenance tasks. (The larger structures that you can delegate to are sites and domains.) Win2K represents OUs as directory container objects, and each OU appears as a folder in the Active Directory Users and Computers utility.
The best OU designs group people and systems to expedite management, maintenance, and efficient user support. Delegating administrative control of each OU to groups or individuals empowers local and remote staff members to manage part or all of their operation. The specifics of OU planning are beyond the scope of this article. In short, you can follow one of three main approaches to defining OUs: You can create them based on location, business unit, or job or area of responsibility (or on any combination of these approaches that reflects the best method for managing your network). A small company might have only one OU; a large international business might create an OU for each geographic location or independent business partner. To create OUs, you use the Administrative Tools' Active Directory Users and Computers utility or the equivalent Microsoft Management Console (MMC) snap-in.
For more information about OU planning, see Chapter 8, "Designing the Active Directory Structure," of the "Windows 2000 Deployment Planning Guide" in the Microsoft Windows 2000 Server Resource Kit. You can also download the deployment planning guide from http://www.microsoft.com/windows2000/ library/resources/reskit/dpg/default.asp. (In the online version of the resource kit, which is more current than the printed version, Chapter 9 is the "Active Directory Planning Guide.")
Delegation and AD Object Security
Win2K has a granular approach to object administration. You delegate control of an object to an individual or group in two stages. First, you can allow (enable) or deny (disable) the right to create or delete a specific AD object. Second, you can grant or deny the right to modify any one or all of an object's attributes. Win2K manages security for object creation and deletion independently from modification of object attributes, so you can grant an individual or group the right to modify an object without letting the same individual or group create or delete the object. When you allow or deny object permissions, all subordinate objects inherit these permissions by default.
Let's explore some of the ways you can delegate management of user account objects. You can delegate the authority to create and delete user objects (i.e., user accounts). This functionality lets you permit a remote office to create and delete accounts for its OU autonomously. For example, you can delegate the authority to create and delete user objects to the human resources (HR) departments in your remote office OUs. You can delegate the right to modify all the attributes of a user account or only the ability to modify one attribute, such as a user's password or ZIP code. To make delegation even more complex, perhaps unnecessarily so, you can let one individual or group modify a user's password and permit another individual or group to modify only a user's contact information. These security concepts apply equally to all AD objects, be they computers, file shares, printers, OUs, sites, or domains.
Win2K implements the tasks you permit or deny as access control entries (ACEs) in an object's ACL. To give you a sense of Win2K's fine-grained control, let's look at user and group objects' permissions. A user object has four unique permissions: Change Password, Receive As, Reset Password, and Send As. A group object has only one unique permission: Send To. User and group objects share the following common permissions: Full Control, List Contents, Read All Properties, Write All Properties, Delete, Delete Subtree, Read Permissions, Modify Permissions, Modify Owner, All Validated Writes, All Extended Rights, Create All Child Objects, Delete All Child Objects, and Add/Remove Self As Member.
Win2K represents each of these permissions separately, so you can grant only one or a combination of permissions to manipulate an object. This granularity lets you safely delegate only the desired administrative tasks to individuals in your organization. You no longer need to disseminate the Administrator's password, so you can keep master control of the network in the hands of only a few staff members.
What Can You Delegate?
As you consider your OU design, you will benefit from identifying the tasks you want to delegate. As you proceed with an AD implementation, you'll know how many OUs to create, the number and type of tasks you expect to delegate in each OU, and the number of administrative groups you need to support your distributed network management model.
If your AD implementation includes OUs that operate fairly independently from the central office, you might want to empower local administrators to manage all aspects of their network operation. This entitlement might include creating and deleting new user and group objects, full control over groups and group membership, and group policy and group policy link management. If your organization has a centralized corporate Help desk, you might want to give the Level 1 Help desk group the authority to reset user and computer account passwords and let the Level 2 Help desk group reset user and computer account passwords, add and remove group members, and create or manage shares for user profiles and home directories.
Using the Delegation Wizard at Wildwood
Without an in-depth understanding of the complex Win2K security model, you might easily become lost trying to delegate control by manually creating and modifying an object's ACL. You would have to thoroughly understand every permission that applies to every AD object-no small task considering the range of objects and attributes available. The Delegation of Control Wizard makes delegation much easier.
The following example shows how to use the wizard to distribute management tasks for a fictitious paper company called Wildwood. Wildwood has 500 employees spread among its Denver headquarters and two branch offices. The Boston and Chicago branches each employ a local IT staff responsible for user and network management. You want to completely delegate user and group account management and group policy links to the branch offices' local staff, while retaining the ability to manage the branch networks when the local managers are out of the office. The Chicago operation is acquiring subsidiaries, so you want to empower the Chicago IT staff to create new OUs. However, you don't want the IT staff in the branch offices to have any administrative authority over the headquarters operation.
Because Wildwood has only 500 employees, you can manage the organization with one domain, which I'll call WildwoodA. To delegate control to the remote locations, you need one OU for each office, which you call the Boston Branch Office and the Chicago Branch Office. You also must create in each OU local user and computer accounts, server accounts, and an administrative group that contains the local IT staff. Then, you can delegate control of each OU to that OU's administrative group. Figure 1 shows the Active Directory Users and Computers display of the OUs and their user, computer, and group members.
To delegate full control of the Boston OU to the Boston Administrators group, which has two members, Roger Barrington and Sally Sorba, you need to run the Delegation of Control Wizard. In the Active Directory Users and Computers display, right-click Boston Branch Office, and click Delegate Control, the first entry on the context-sensitive menu. Click Next on the resulting Delegation of Control Wizard Welcome screen to begin the delegation procedure. This action brings up the Users or Groups window. (The Selected users and groups portion of this window is always empty, even if you have previously delegated control to this OU. This blank area is disconcerting the first few times you experiment with delegation.)
Click Add to display the Select Users, Computers, or Groups window, which Figure 2 shows. In this window, you can select users and groups from the entire directory, the active domain, or another domain (including Windows NT 4.0 domains) from the Look in drop-down box. Because you have only one domain, the contents of the directory and the domain are identical. Next, double-click the Boston Administrators group. If you want to delegate control of the OU to multiple groups or groups and individuals, you can select multiple entries from the directory or domain display by double-clicking each entry. The wizard displays each selection in the lower portion of the screen. Click OK to proceed, and verify your selections in the previously blank area of the Users or Groups window.
When you click Next, the wizard displays the Tasks to Delegate window, which Figure 3 shows. The Delegate the following common tasks option is enabled by default. You want to delegate control of user and group accounts to Boston Administrators, so you need to select all six options in the common tasks list: Create, delete, and manage user accounts; Reset passwords on user accounts; Read all user information; Create, delete, and manage groups; Modify the membership of a group; and Manage Group Policy links. If you want to delegate only limited control to the Boston IT staff, you might select only the Reset passwords on user accounts and Read all user information check boxes.
If the common task list doesn't include the task you want to delegate, select the Create a custom task to delegate option, which displays two options. If you select the first option, This folder, existing objects in this folder, and creation of new objects in this folder, you're delegating full authority to manage everything the folder contains as well as the right to create any new object within the folder. If you want to delegate only some of these tasks, select the Only the following objects in the folder option, and select a subset of objects from the list. To delegate management of printers and shared folders in an OU, select only these objects from the list and click Next. In the resulting Permissions window, which Figure 4 shows, you identify how your delegates can manipulate printers and shared folders. To delegate management without permitting the delegates to create subfolders, select the Read, Write, Read All Properties, and Write All Properties check boxes. Click Next. The resulting Completing the Delegation Control Wizard screen presents a summary of your selections. If everything is correct, click Finish. If you selected the wrong group or forgot to delegate a required common task, click Back to correct your mistakes.
Checking the Wizard's Work
When you finish using the Delegation of Control Wizard, you return automatically to the Active Directory Users and Computers window. To double-check the ACL entries for the Boston OU, you must first enable Advanced Features on the View menu; otherwise, you can't display object security controls. Right-click Boston Branch Office, click Properties, then click the Security tab to display the OU's properties, which Figure 5 shows. Boston Administrators appears as the third entry in the Name list. When you highlight an entry in the Name list, the Permissions section shows the permissions that group has for the Boston OU.
When you highlight the Boston Administrators group, no check marks appear in the permissions list. To see the ACEs that the wizard placed in the OU's ACL, you must click Advanced. Figure 6 shows the Permissions tab of the Access Control Settings for the Boston Branch Office window.
You can double-click an entry to display more information about it (or select the ACE and click View/Edit). If you double-click the first entry, you see that the Boston Administrators group has permission to Read gPOptions (Group Policy options) and Write gPOptions, as Figure 7 shows. If you double-click the second entry, you see that the Boston Administrators group has permission to Read gPLink (Group Policy link) and Write gPLink.
These four permissions (i.e., to read and write group policy options and group policy links) are available for the OU object, so the Delegation of Control Wizard could write one ACE that allows all four options instead of writing two ACEs with two options each. When you're comfortable with object security, you can modify the permission settings by manually selecting the Allow or Deny check boxes. And you can combine these group policy ACEs into one ACE if you always want to delegate both tasks in one assignment. Double-clicking the third entry in the Access Control Settings for Boston Branch Office window brings up the Object tab of the Permission Entry for Boston Branch Office window, which Figure 8 shows. This tab shows that you've granted Boston Administrators Full Control of all group objects, including the ability to create child groups for existing groups. The fourth entry lets the Boston Administrators group create and delete new group objects within the OU. The fifth ACE grants Full Control of existing user objects, and the sixth entry lets the Boston Administrators group create and delete new user objects.
Testing and Modifying Delegations
To verify that your delegates can perform their assigned tasks, log on as a member of the Boston Administrators group. Start the Active Directory Users and Computers utility, right-click the Boston Branch Office OU, click New, then click User. If the New Object-User dialog box appears, the group can successfully create new user accounts. Repeat this procedure for New Object-Groups, and verify that group members can perform all the tasks that you delegated in the Delegation of Control Wizard's common tasks list.
Although the Delegation of Control Wizard grants users and groups administrative privileges over containers and the objects within them, the wizard can't undo delegations. To remove or modify delegations that you created with the wizard, you must manually edit the relevant ACEs. As you can see Active Directory's granular authority model combined with the Delegation of Control Wizard make it possible to follow least privilege and thereby reduce the risk of uncontrolled administrator authority but at the same time making sure everyone has the authority they need to their job.
