We all know it happens the exact same way each time. There is a user in a department, or maybe a department of users, that are going to be terminated. The protocol is typically the same: the manager of the department notifies IT that morning and has IT disable the user when the time comes. The issue for IT is always “when is that time?”
But what if the department manager had the ability to disable the user(s)? Then, IT would only be notified that the user was disabled rather have the burden of performing the task. The key to a solution like this would be to narrow down the scope of “who” the manager could disable and to ensure she could only disable the account and nothing more.
There is an excellent and easy solution to a common scenario like this. The solution is ADManager Plus. ADManager Plus provides delegation configurations that are very granular and easy to setup. There are three steps to this solution:
Step 1: Establish the Delegated Role
Within ADManager Plus this is referred to as a Help Desk Role. Figure 1 illustrates what the configuration of this role would look like.
Figure 1. ADManager Plus allows you to define which task the Help Desk Role will control.
Step 2. Define the Managers that will have the ability to disable users.
ADManager Plus refers to this configuration as the Help Desk Technicians. The Help Desk Technicians will be defined within ADManager Plus by their Active Directory name and then be associated with a Help Desk Role. Figure 2 illustrates what this configuration would look like.
Figure 2. Associating a role with a technician in ADManager Plus.
You will notice a few key factors in the Figure 2 configuration. First, the user is only granted the ability to disable users that are located in the finance OU. Second, the role is only the ability to disable, nothing else. Third, ADManager Plus impersonates the technician, therefore it is like a proxy performing the task. Finally, because it is a proxy, the actual permissions in Active Directory are not modified, the delegations are only in ADManager Plus. This allows for easier auditing and verification on who has delegated control over Active Directory.
Step 3: The manager connects to perform the task.
ADManager Plus is designed as a web-based interface. This allows for quick and easy access to perform the tasks without the need to install any client-side tool on the user desktop. Figure 3 shows you what the finance manager would see when he connects to ADManager Plus.
Figure 3. ADManager Plus will only show the delegated roles within the tool.
As you can clearly see, the manager only has the ability to see and control what the role specifies. This is also clear when you attempt to view the full list of users that can be disabled, which is shown in Figure 4.
Figure 4. ADManager Plus will only allow control over the AD objects which are defined in the delegation.
With such ease of configuration, control over the delegations in AD, and limiting nature of what the delegated user can control, ADManager Plus makes delegations
target=”_blank” rel=”noopener”>Active Directory delegation without elevating user permissions in Active Directory