Delegation Introduction
We have seen in previous article [how to open active directory snap-in ]: that once administrator@pioneers.lab open ADUC [Active Directory user and computers ] either by RDP or RSAT , he will have full control over AD ,
which is good enough , in one man show company where you need ONLY one administrator in your network who can perform ALL IT administrative Tasks
But what if we have IT team , and each one require specific level of administrative rights
For example
- One of IT Staff responsible for join client computers to AD and delete computers account from AD
- One of IT staff : from HELP desk team responsible of rest employees password
- Member of HR department responsible to update users contact information like: department, telephone, Address , direct manager …etc.
So ,, it’s very sense to grant specific users [or group ] the desired level of administrative right
I will tell you little story : I have visited company where IT Manager level have been downgraded to help desk and data entry , and he was spending most of his time in company to follow employees request to reset password beside join computer to domain and update their data ,
this happened because NO one was allowed to access AD except domain administrator [which of course the IT manager ]
delegation consideration
- For delegation to be successful, OUs must be designed and implemented properly and the correct objects (users, groups, computers) must be placed in them.
- Don’t use built-in groups; they give privileges that are too wide in the domain. Your delegation design must include the creation and location of new groups designed solely for delegation.
- Use nested OUs. There will be various levels of data administrators within AD. Some will be delegated control over an entire data type, such as servers, and others might be given only a subset of a data type, such as file servers. This hierarchy is established by creating OUs and sub-OUs, with the delegated administration at the top having more privilege than those lower in the OU structure.
- Perform regular audits to check who has been granted delegation to different levels in AD.
- Perform yearly audits on who has which AD delegate controls.
Active Directory delegation steps
The simplest way to accomplish delegation is to use the Delegation of Control Wizard in Active Directory Users and Computers (ADUC) snap-in.
We have the following scenario:
Currently IT engineers department include 3 engineers with group called [Help_Desk ]
test delegation assigned
we have already install RSAT on computer IT124 in previous article [click here ]
now as per network diagram above : wesam@pioneers.lab will login to computer IT124.pioneers.lab
Remove Assigned Delegation
as IT manager : you may later decide to remove assigned delegation
this process require the following :
Conclusion
Delegate access would enable set of users to perform the tasks that are normally performed by Domain Admins. It would only restrict the user to the OU on which rights are delegated.
