Active Directory Rights Delegation - Overview
-
Upload
simon-wright -
Category
Documents
-
view
223 -
download
0
Transcript of Active Directory Rights Delegation - Overview
-
7/30/2019 Active Directory Rights Delegation - Overview
1/18
Active Directory rights delegation overview
Very often administrators ask, how to grant other users from IT department some specific
rights in Active Directory without giving them to much permissions.
Microsoft allows us to do that in few ways, using:
default built-in groups Active Directory Delegation wizard ACL of Active Directory objects
The last option may be done over:
Active Directory Users and Computers console ADSI Edit console DSACLS coomand-line tool (out of scope in this article)
The first method is very simple for some predefined tasks but it also grants users much more
permissions than they sometimes need. So, the proper method in this case is granting users
rights over AD Delegation wizard or other mentioned method above. This way also allows us to
more granular permissions assignment.
Some tasks cannot be predefined using mentioned methods but we can do that modifying
appropriate policies in Group Policy Object (GPO).
Note!I can see very often that administrators add users into Domain Admins group to grantthem necessary privileges. This is the most simple way but for sure not the proper one! I know,
delegating rights require some administrative effort but its really worth implementing. After
delegation rights implementation, you can be sure that no one would destroy accidentally your
environment. Give it a try!
Active Directory Delegation wizard
This wizard is available when you open Active Directory Users and Computers console and
select Organizational Unit (OU) or domain on which you want to start delegating privileges.
Click right mouse button and choose Delegate Controll option. You should see a wizard
-
7/30/2019 Active Directory Rights Delegation - Overview
2/18
Delegation Control wizard
Follow with the wizard and choose desired options. At the first screen, you will be prompted for
user or group to which you want to grant permissions.
http://kpytko.files.wordpress.com/2012/05/img0026.pnghttp://kpytko.files.wordpress.com/2012/05/img0014.pnghttp://kpytko.files.wordpress.com/2012/05/img0026.pnghttp://kpytko.files.wordpress.com/2012/05/img0014.png -
7/30/2019 Active Directory Rights Delegation - Overview
3/18
Selecting user or group to grant permissions
Note! It is good practice to not add users directly in Delegation Control wizard. Instead of
adding them directly, please create dedicated group and grant permission to it. Put each user
who requires permissions into that group.
Defined group for task delegation
as you can see on above screen, I have used domain local group named dlg-reset-user-
password. Its name tells, what is the purpose of it. In this case I will grant reset users password
permission in a domain to that group.
Note! I would strongly recommend naming groups the way you can simply evaluate what is its
function (use also description field to put more detailed information about the group).
http://kpytko.files.wordpress.com/2012/05/img0034.png -
7/30/2019 Active Directory Rights Delegation - Overview
4/18
Next step of delegating permissions
Now, you need to select appropriate permissions which will be assigned to specified group. You
can use one of predefined roles from the list or select more granular permissions.
To use one of predefined roles, select a checkbox next to it (you can select more than one) and
go to the next step to finish the action.
http://kpytko.files.wordpress.com/2012/05/img0043.png -
7/30/2019 Active Directory Rights Delegation - Overview
5/18
Selecting delegated task for group of users
In case that you want to create a custom task to delegate, choose the second option and click
Next button
http://kpytko.files.wordpress.com/2012/05/img0063.pnghttp://kpytko.files.wordpress.com/2012/05/img0052.pnghttp://kpytko.files.wordpress.com/2012/05/img0063.pnghttp://kpytko.files.wordpress.com/2012/05/img0052.png -
7/30/2019 Active Directory Rights Delegation - Overview
6/18
Custom task to delegate
choose Only the following objects in this folder option and select appropriate object(s) from
the list
Custom task delegation next step
Now, you need to select granular permissions to assign. Before you will do that tick also
Property-specific option to have more attributes.
http://kpytko.files.wordpress.com/2012/05/img0073.png -
7/30/2019 Active Directory Rights Delegation - Overview
7/18
Selecting more attributes
From the list, choose:
Reset password Read lockoutTime Write lockoutTime Read pwdLastSet Write pwdLastSet
and click Next button
http://kpytko.files.wordpress.com/2012/05/img0082.png -
7/30/2019 Active Directory Rights Delegation - Overview
8/18
Assigning permissions
and finish the action. Now, you have delegated users password reset to specified group
http://kpytko.files.wordpress.com/2012/05/img0101.pnghttp://kpytko.files.wordpress.com/2012/05/img0091.pnghttp://kpytko.files.wordpress.com/2012/05/img0101.pnghttp://kpytko.files.wordpress.com/2012/05/img0091.png -
7/30/2019 Active Directory Rights Delegation - Overview
9/18
Rights delegated
To verify if rights are delegated, you need to check ACL of a location on which you have done
this action. If you want to see ACL (Security tab) on that location, you need to enable
Advanced Fetures option in ADUC console
Advanced Features option in ADUC
After that, you can simply check if task delegation has been finished successfully. Click right
mouse button on a domain or OU (depends where you have done delegation) and chooseProperties. Under the Security tab verify if you can see group to which you assigned
permissions
http://kpytko.files.wordpress.com/2012/05/img011.png -
7/30/2019 Active Directory Rights Delegation - Overview
10/18
Veryfing delegated permissions
http://kpytko.files.wordpress.com/2012/05/img012.png -
7/30/2019 Active Directory Rights Delegation - Overview
11/18
Veryfing delegated permissions
http://kpytko.files.wordpress.com/2012/05/img013.png -
7/30/2019 Active Directory Rights Delegation - Overview
12/18
Veryfing delegated permissions
Thats all about this method. Now lets see another way.
ACL of Active Directory objects
As you saw in the previous part of this post, I showed you how to delegate rights using
Delegation Control wizard. This time you will see how to do that using ACL (Security tab).
Open Active Directory Users and Computers console (make sure that Advanced Feature
option in View menu is sel ected) and go to an OU or domain to which you want to grant
permissions. Click right mouse button and choose Properties. Go to Security tab
http://kpytko.files.wordpress.com/2012/05/img014.png -
7/30/2019 Active Directory Rights Delegation - Overview
13/18
Delegating rights over ACL
http://kpytko.files.wordpress.com/2012/05/img0151.png -
7/30/2019 Active Directory Rights Delegation - Overview
14/18
Delegating rights over ACL
click Advancedbutton and group to which you want to assign permissions
http://kpytko.files.wordpress.com/2012/05/img016.png -
7/30/2019 Active Directory Rights Delegation - Overview
15/18
Delegating rights over ACL
Delegating rights over ACL
In Permissions Entry window from Apply to drop down list choose This object and all
descendand objects and select Create computer objects
http://kpytko.files.wordpress.com/2012/05/img018.pnghttp://kpytko.files.wordpress.com/2012/05/img017.pnghttp://kpytko.files.wordpress.com/2012/05/img018.pnghttp://kpytko.files.wordpress.com/2012/05/img017.png -
7/30/2019 Active Directory Rights Delegation - Overview
16/18
Delegating rights over ACL
Thats all in this method. The next option you can use is granting privileges over ACL using
ADSIEdit
ADSI Edit
In Windows Server 2003 to be able to use ADSIEdit you need to install Support Tools from the
first CD. On Windows Server 2008/2008R2 it is automatically available on each Domain
Controller.
Note! Be careful! ADSIEdit is powerful tool and you can destroy your domain environment. Do
not choose any other option, you do not know. First, check that in test environment.
Some options/attributes are unavailable in Security tab over ADUC console then we can set
up them using this tool. Log on to Domain Controller or other domain member server on which
you have available ADSIEdit and run it.
http://kpytko.files.wordpress.com/2012/05/img0201.png -
7/30/2019 Active Directory Rights Delegation - Overview
17/18
Running ADSIEdit console
within ADSIEdit connect to Default naming context
Choosing context in ADSIEdit
http://kpytko.files.wordpress.com/2012/05/img022.pnghttp://kpytko.files.wordpress.com/2012/05/img021.pnghttp://kpytko.files.wordpress.com/2012/05/img022.pnghttp://kpytko.files.wordpress.com/2012/05/img021.png -
7/30/2019 Active Directory Rights Delegation - Overview
18/18
Choosing context in ADSIEdit
All other steps are the same as in the previous method (ADUC console).
Thats all in this overview article.
Author: Krzysztof Pytko
http://kpytko.files.wordpress.com/2012/05/img023.png