-----Original Message-----
From: Kent Maxwell
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 24, 2004
10:28 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Extended
Rights
Ok,
I must be crazy. I read the "Best Practices of Delegating Active
Directory Administration" I have defined my service administration
and data administration model.
I
started to define the physical infrastructure. The first step to is to
create a Universal group that will be a Forest Configuration Operators
Role. Per the Microsoft Documentation I need to grant the following
rights:
1.
Grant this group permissions
required to perform assigned Installation Management tasks.
a.
Grant this group the DS-Replication-Get-Changes extended right
on the following objects:
·
CN=Configuration,
DC=<Forest-Root-Domain>
·
CN=Schema, CN=Configuration,
DC=<Forest-Root-Domain>
b.
Grant this group the DS-Replication-Manage Topology extended right on the following objects:
·
CN=Configuration,
DC=<Forest-Root-Domain>
·
CN=Schema, CN=Configuration,
DC=<Forest-Root-Domain>
c.
In a Windows 2000 Active Directory
environment, additionally grant this group the DS-Replication-Get-Changes-All extended right on the following objects:
·
CN=Configuration,
DC=<Forest-Root-Domain>
·
CN=Schema, CN=Configuration,
DC=<Forest-Root-Domain>
d.
In a Windows 2000 Active Directory environment,
additionally grant this group the DS-Replication-Monitor-Topology extended right on the following objects:
·
CN=Configuration,
DC=<Forest-Root-Domain>
·
CN=Schema, CN=Configuration,
DC=<Forest-Root-Domain>
e.
Grant this group the following
permissions:
·
Read All Properties on CN=Sites,
CN=Configuration, DC=<Forest-Root-Domain> (Inheritable - apply onto this object and all child objects)
·
Create All Child Objects on
CN=Servers, CN=<Site>, CN=Sites, CN=Configuration,
DC=<Forest-Root-Domain> (Inheritable
- apply onto this object and all
child objects)
·
Create Computer objects on
OU=Domain Controllers,DC=<domain>
·
Full Control to "Creator
Owner" on CN=Sites, CN=Configuration, DC=<Forest-Root-Domain> (Inheritable - apply onto this object and all child objects)
f.
Grant this group the "Enable
computer and user accounts to be trusted for delegation" user right by
modifying the default domain controller security policy for this domain.
g.
Finally, when a member of this
group needs to add a replica DC, he/she must be granted Full Control on the
computer object representing the server that is being promoted and must be made
a member of the Local Administrators group on that computer.
2.
Grant this group permissions
required to perform assigned Operations Master Role Management tasks.
h.
Grant this group the Change-Schema-Master extended right on cn=Schema, CN=Configuration,
DC=<Forest-Root-Domain>
i.
Grant this group the Change-Domain-Master extended right on cn=Partitions, CN=Configuration,
DC=<Forest-Root-Domain>
j.
Grant this group Write-Property
permissions to write the fSMORoleOwner property on cn=Schema, CN=Configuration,
DC=<Forest-Root-Domain>
k.
Grant this group Write-Property
permissions to write the fSMORoleOwner property on cn=Partitions,
CN=Configuration, DC=<Forest-Root-Domain>
3.
Grant this group permissions
required to protect and manage trusts for the entire forest.
a.
In each domain, grant this group
the following permissions:
·
Create Trusted-Domain objects on
CN=System, DC=<domain>
·
Delete Trusted-Domain objects on
CN=System, DC=<domain>
·
Write-Property to all attributes on
Trusted-Domain objects CN=System, DC=<domain> (Inheritable ACE, applies
to Trust objects)
·
Additionally, if members of this
group will use Active Directory trust management tools, make this group a
member of the BuiltIn Admins group in the domain
4.
Grant this group permissions
required to perform LDAP policy management:
a.
Grant this group Create Child
permissions to create Query-Policy
objects in the cn=Query-Policies,cn=Directory Service,cn=Windows
NT,cn=Services,cn=Configuration, DC=<Forest-Root-Domain> container
b.
Grant this group Delete Child
permissions to create Query-Policy
objects in the
cn=Query-Policies,cn=Directory Service,cn=Windows
NT,cn=Services,cn=Configuration, DC=<Forest-Root-Domain> container.
c.
Grant this group Write All
Properties permissions on Query-Policy
objects in the
cn=Query-Policies,cn=Directory Service,cn=Windows
NT,cn=Services,cn=Configuration, DC=<Forest-Root-Domain> container. (Inheritable permissions)
d.
To perform advanced LDAP policy
administrative tasks such as affecting the LDAP query policies associated with
a specific domain controller or with all domain controllers in a specific site,
additional permissions might be required - to grant these permissions refer to
"Appendix A: Active Directory Administrative Tasks.
It's
great to have all this direction, except I have no freaking clue how to grant
these extended rights. What tool do I use? How do I make this
work? Did I miss something in the "Best
Practices fo Delegating Active Directory Administration" document?
If so, please direct me to the page that tells me how to physically do
this. Any help on this will be greatly appreciated because I am
completely in the dark!
Kent
-----
This e-mail is intended for the use of the addressee (s) only and may contain
privileged, confidential, or proprietary information that is exempt from
disclosure under law. If you have received this message in error, please inform
us promptly by reply e-mail, then delete the e-mail and destroy any printed
copy. Thank you.
