Active Directory Delegation

Endpoint Central | February 26, 2006 | 3 min read

Recently, I was involved in the Desktop Central delegated administration tests in the windows 2003 based domain. I tried this using native Microsoft delegation wizard tools. For some references i happened to read the official Microsoft 2003 delegation document.

It’s a document which spans for 200 plus pages. Here is the document link for your reference

Good one for those who wants to know the complete story about delegation and its insight. For the rest, here is my simple version of the digest

What is delegation?

Delegation is the transfer of administrative responsibility for a specific administrative task from a higher authority to a lower authority. Technically saying, delegation of administration from higher-level administrator granting a controlled set of permissions to a lower-level administrator in order to carry out a specific administrative task.

What is the advantage of delegation?

By increasing administrative efficiency and decentralizing administration, delegation reduces administrative costs and improves manageability of IT infrastructures.

How is it being done?

According to Microsoft, administrative responsibilities of managing an Active Directory environment can be classified into two categories.

* Service management, which is responsible for administrative tasks involved in providing secure and reliable delivery of the directory service. Below given are the some of the Active Directory Service management related tasks.

* Add/Remove Domain Controllers in the infrastructure

* Domain controller Role management (PDC emulator, schema master..etc)

* Manage/Monitor Replication

* Performing regular backups of the directory database

* Domain and Domain Controller security policy management,…etc.,

* Data management, which responsible for administrative operations involved in managing the content that is stored in or protected by the directory service. Few examples are

o User accounts management (Add, delete, modify, move etc.,)

o Computer accounts management

o Security groups (used to aggregate accounts for the purpose of authorizing access to resources) etc.,

Thus, data and service management administration tasks primarily involve effecting the change of data that is stored either in Active Directory, or in some cases on the file system or registry of Domain Controllers and other computers joined to Active Directory

Access Control

Access control is the means by which administrators can control, or delegate, the ability of other users to manipulate objects in Active Directory and also to perform actions on domain controllers and file servers. It involves three stages of operation

o Stage I : Security credentials of the user who wants to access a resource

o Stage II : Authorization data that protects the resource that is being accessed

o Stage III : An access check that verifies whether or not the requested access can be granted

When a user attempts to perform a low-level operation on an object, the operation being attempted is subject to an access check. The access check takes into account the user security credentials and the authorization data on the object on which the low-level operation is being requested to determine the abilities of the user in relation to the respective object. If the access check determines that the security credentials of the user requesting the operation and the authorization data on the target object provides sufficient permissions to execute the operation, the operation succeeds. If the user has insufficient permissions to execute the operation that is being requested, the request fails.

That’s about the document. Even though delegation provides lot of advantages, there are some pain areas which i wanna share, while using the native delegation wizard

Quote:
* Delegation is not open/visible the native tools UI – i couldn’t check it at a glance* Reverting the delegation is a very painful job – surprisingly there is no wizard for that!!

* No history of delegation detail for an object – you tend to redo

* Direct manipulation of security settings – tweaking security settings is dangerous which can bring down the network

There should be some tool which can make things easier. Easier to a level where a help desk person can understand and do this. Okay , coming back to delegation for Desktop Central, we are working on the possibilities and have some interesting stuffs to share, will keep you posted.

~ romanus ~