|
You can do this in two places - you can edit dssec.dat as mentioned to
expose extra rights or you can use ADSIEDIT which has no limitations. Drawback
to editing dssec.dat is that you need to do it on all the machines you want to
delegate from, and you need to know what the entries/rights mean, especially
when you starting out this can be daunting. ADSIEDIT at least exposes all the
rights in the GUI so there’s no guesswork if you’ve exposes the
right thing or not. Do your delegation out of ADSIEDIT, which is
available on the support tools section of your CD. ADSIEDIT shows all the rights
available for delegation on an object or attribute level. ADUC is not a great place
for exposing too many rights, since the interface gets cluttered too quickly. Suggest
I you need/want to use ADUC for delegation, only expose the rights you need to for
user/comp/ou/share/ etc type roles, and do everything else out of ADSIEDIT. I would strongly suggest you do your delegation
out of ADSIEDIT or use a third party delegation tool which gives you track/audit
and undo, ESPECIALLY if you’re playing in live, as ADSIEDIT is a lot like
regedit – you have to know what you’re doing, otherwise you might have
to use dsacls to set aces/acls back to factory default which wll break other dir
enabled apps. If you cannot get access to a third party tool,
may I strongly suggest that whatever you need to do you do programmatically i.e.
via a script in your lab, and then use the same script to rollout in live –
removes finger trouble and uncertainty. Also gives you a bit of an audit trail as
to what you’ve done ;) The ability to delegate in an enormously powerful
tool, this requires that you do some background reading on what your delegation
will affect, how the inheritance model works, etc. There are a number of
excellent books on the subject for which you could gain a number of suggestions
from this forum. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kent Maxwell Ok,
I must be crazy. I read the "Best Practices of Delegating Active
Directory Administration" I have defined my service administration
and data administration model. I
started to define the physical infrastructure. The first step to is to
create a Universal group that will be a Forest Configuration Operators
Role. Per the Microsoft Documentation I need to grant the following
rights: 1.
Grant this group permissions
required to perform assigned Installation Management tasks. a.
Grant this group the DS-Replication-Get-Changes extended right
on the following objects: ·
CN=Configuration,
DC=<Forest-Root-Domain> b.
Grant this group the DS-Replication-Manage Topology extended right on the following objects:
·
CN=Configuration,
DC=<Forest-Root-Domain> c.
In a Windows 2000 Active Directory
environment, additionally grant this group the DS-Replication-Get-Changes-All extended right on the following objects: ·
CN=Configuration,
DC=<Forest-Root-Domain> d.
In a Windows 2000 Active Directory
environment, additionally grant this group the DS-Replication-Monitor-Topology extended right on the following objects: ·
CN=Configuration,
DC=<Forest-Root-Domain> e.
Grant this group the following
permissions: ·
Read All Properties on CN=Sites,
CN=Configuration, DC=<Forest-Root-Domain> (Inheritable - apply onto this object and all child objects) ·
Create All Child Objects on
CN=Servers, CN=<Site>, CN=Sites, CN=Configuration,
DC=<Forest-Root-Domain> (Inheritable
- apply onto this object and all
child objects) ·
Create Computer objects on
OU=Domain Controllers,DC=<domain> f.
Grant this group the "Enable
computer and user accounts to be trusted for delegation" user right by
modifying the default domain controller security policy for this domain. g.
Finally, when a member of this
group needs to add a replica DC, he/she must be granted Full Control on the
computer object representing the server that is being promoted and must be made
a member of the Local Administrators group on that computer. 2.
Grant this group permissions
required to perform assigned Operations Master Role Management tasks.
h.
Grant this group the Change-Schema-Master extended right on cn=Schema, CN=Configuration,
DC=<Forest-Root-Domain> i.
Grant this group the Change-Domain-Master extended right on cn=Partitions, CN=Configuration,
DC=<Forest-Root-Domain> j.
Grant this group Write-Property
permissions to write the fSMORoleOwner property on cn=Schema, CN=Configuration,
DC=<Forest-Root-Domain> k.
Grant this group Write-Property
permissions to write the fSMORoleOwner property on cn=Partitions,
CN=Configuration, DC=<Forest-Root-Domain> 3.
Grant this group permissions
required to protect and manage trusts for the entire forest. a.
In each domain, grant this group
the following permissions: ·
Create Trusted-Domain objects on
CN=System, DC=<domain> ·
Additionally, if members of this
group will use Active Directory trust management tools, make this group a
member of the BuiltIn Admins group in the domain 4.
Grant this group permissions
required to perform LDAP policy management: a.
Grant this group Create Child
permissions to create Query-Policy
objects in the cn=Query-Policies,cn=Directory Service,cn=Windows
NT,cn=Services,cn=Configuration, DC=<Forest-Root-Domain> container b.
Grant this group Delete Child
permissions to create Query-Policy
objects in the
cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,
DC=<Forest-Root-Domain> container. c.
Grant this group Write All
Properties permissions on Query-Policy
objects in the
cn=Query-Policies,cn=Directory Service,cn=Windows
NT,cn=Services,cn=Configuration, DC=<Forest-Root-Domain> container. (Inheritable permissions) d.
To perform advanced LDAP policy
administrative tasks such as affecting the LDAP query policies associated with
a specific domain controller or with all domain controllers in a specific site,
additional permissions might be required - to grant these permissions refer to
"Appendix A: Active Directory Administrative Tasks. It's
great to have all this direction, except I have no freaking clue how to grant
these extended rights. What tool do I use? How do I make this
work? Did I miss something in the "Best
Practices fo Delegating Active Directory Administration" document?
If so, please direct me to the page that tells me how to physically do
this. Any help on this will be greatly appreciated because I am
completely in the dark!
|
Title: Extended Rights
- [ActiveDir] Extended Rights Kent Maxwell
- RE: [ActiveDir] Extended Rights Nicolas Blank
- RE: [ActiveDir] Extended Rights Kern, Tom
- RE: [ActiveDir] Extended Rights GRILLENMEIER,GUIDO (HP-Germany,ex1)
