Delegating the Administration of Windows Server 2008 Active Directory Domain Services
- 3/5/2008
Planning for the Delegation of Administration
As shown in this chapter, Windows Server 2008 AD DS provides the tools you need to delegate administrative permissions in your domain. However, with all of the positive things you can do in delegating permissions, you also take the risk of assigning incorrect permissions. Incorrect permissions may result in allowing users to do things in Active Directory that they should not be able to do. Incorrect permissions can also mean assigning too few permissions, so that users cannot do the work they need to do. Creating a delegation structure that will provide users with the precise permissions they need requires a significant amount of planning. The following are several suggestions to help with your administrative delegation planning:
Carefully document the administrative requirements for all potential administrators. In most companies, you will find that there are various users and groups that need some administrative permissions in the domain. Many of these users could be members of the Domain Admins group. As you document the administrative tasks that users need to perform, you will usually find that they really need a much lower level of access. Often the only way to document the level of administrative permissions each group needs is to document all of the administrative work they do every day. By documenting the activities they have to perform, you can design the precise permissions they need to have.
Before making any changes to the production environment, test all security modifications in a test environment. Making a wrong security configuration can have serious implications for your network. Use the test lab to ensure that the modifications meet the permission requirements but do not give any additional permissions that are not needed.
Use the Effective Permissions page in the Advanced Security Settings window to monitor and test the users’ permissions. The Effective Permissions page can be used to determine the precise permissions a user or group has in AD DS. Use the tool in the test environment to ensure that your configuration is accurate and use it again in the production environment to make sure that your implementation followed the plan.
Document all the permissions that you assign. Of all the tasks assigned to network administrators, documenting changes made to the network appears to be the most disliked because it can be very tedious and not seem important. As a result, documentation is often incomplete or out of date. The only way to effectively manage the security configuration on your network is to document the initial configuration and then to make a commitment to keep the documentation updated whenever one of the original settings is modified.