|
Although I totally agree with what Nicolas said on the
topic of how to go at managing Delegation (better to use tools or scripts), I
would simply not suggest to implement the role at all which you're planning on
setting up.
You don't want other people but those who are also
responsible for your forest (i.e. Enterprise Admins) to change the forest
configuration. As such, you don't need to grant any special permissions at all -
simply leave the task of changing forest configuration up to the few enterprise
admins that you define.
It was a rather debateable topic during the review of the
guide if this role should be contained at all, however, MS just wanted you to
know which permissions you'd need to set if you really want to. That
doesn't mean it's recommendet - I would say it is not.
/Guido From: Nicolas Blank [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 25. Februar 2004 08:53 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Extended Rights You can do this in two
places - you can edit dssec.dat as
mentioned to expose extra rights or you can use ADSIEDIT which has no
limitations. Drawback to editing dssec.dat is that you need to do it on all the
machines you want to delegate from, and you need to know what the entries/rights
mean, especially when you starting out this can be daunting. ADSIEDIT at least
exposes all the rights in the GUI so there’s no guesswork if you’ve exposes the
right thing or not. Do your delegation out
of ADSIEDIT, which is available on the support tools section of your CD.
ADSIEDIT shows all the rights available for delegation on an object or attribute
level. ADUC is not a great place for exposing too many rights, since the
interface gets cluttered too quickly. Suggest I you need/want to use ADUC for
delegation, only expose the rights you need to for user/comp/ou/share/ etc type
roles, and do everything else out of ADSIEDIT. I would strongly
suggest you do your delegation out of ADSIEDIT or use a third party delegation
tool which gives you track/audit and undo, ESPECIALLY if you’re playing in live,
as ADSIEDIT is a lot like regedit – you have to know what you’re doing,
otherwise you might have to use dsacls to set aces/acls back to factory default
which wll break other dir enabled apps. If you cannot get
access to a third party tool, may I strongly suggest that whatever you need to
do you do programmatically i.e. via a script in your lab, and then use the same
script to rollout in live – removes finger trouble and uncertainty. Also gives
you a bit of an audit trail as to what you’ve done
;) The ability to delegate
in an enormously powerful tool, this requires that you do some background
reading on what your delegation will affect, how the inheritance model works,
etc. There are a number of excellent books on the subject for which you could
gain a number of suggestions from this forum. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Kent
Maxwell Ok,
I must be crazy. I read the "Best Practices of Delegating Active Directory
Administration" I have defined my service administration and data
administration model. I
started to define the physical infrastructure. The first step to is to
create a Universal group that will be a Forest Configuration Operators
Role. Per the Microsoft Documentation I need to grant the following
rights: 1.
Grant this group permissions required
to perform assigned Installation Management tasks. a.
Grant this group the DS-Replication-Get-Changes extended right
on the following objects: ·
CN=Configuration,
DC=<Forest-Root-Domain> b.
Grant this group
the DS-Replication-Manage
Topology extended
right on the following objects: ·
CN=Configuration,
DC=<Forest-Root-Domain> c.
In a Windows 2000 Active Directory
environment, additionally grant this group the DS-Replication-Get-Changes-All
extended right on the following
objects: ·
CN=Configuration,
DC=<Forest-Root-Domain> d.
In a Windows 2000 Active Directory
environment, additionally grant this group the DS-Replication-Monitor-Topology
extended right on the following
objects: ·
CN=Configuration,
DC=<Forest-Root-Domain> e.
Grant this group the following
permissions: ·
Read All Properties on CN=Sites,
CN=Configuration, DC=<Forest-Root-Domain> (Inheritable - apply onto this object and all child
objects) ·
Create All Child Objects on
CN=Servers, CN=<Site>, CN=Sites, CN=Configuration,
DC=<Forest-Root-Domain> (Inheritable - apply onto this object and all child
objects) ·
Create Computer objects on OU=Domain
Controllers,DC=<domain> f.
Grant this group the "Enable computer
and user accounts to be trusted for delegation" user right by modifying the
default domain controller security policy for this
domain. g.
Finally, when a member of this group
needs to add a replica DC, he/she must be granted Full Control on the computer
object representing the server that is being promoted and must be made a member
of the Local Administrators group on that computer. 2.
Grant this group permissions required
to perform assigned Operations Master Role Management tasks.
h.
Grant this group
the Change-Schema-Master
extended right on cn=Schema,
CN=Configuration, DC=<Forest-Root-Domain> i.
Grant this group
the Change-Domain-Master
extended right on cn=Partitions,
CN=Configuration, DC=<Forest-Root-Domain> j.
Grant this group Write-Property
permissions to write the fSMORoleOwner property on cn=Schema, CN=Configuration,
DC=<Forest-Root-Domain> k.
Grant this group Write-Property
permissions to write the fSMORoleOwner property on cn=Partitions,
CN=Configuration, DC=<Forest-Root-Domain> 3.
Grant this group permissions required
to protect and manage trusts for the entire forest.
a.
In each domain, grant this group the
following permissions: ·
Create Trusted-Domain objects on
CN=System, DC=<domain> ·
Additionally, if members of this
group will use Active Directory trust management tools, make this group a member
of the BuiltIn Admins group in the domain 4.
Grant this group permissions required
to perform LDAP policy management: a.
Grant this group Create Child
permissions to create
Query-Policy objects in the cn=Query-Policies,cn=Directory
Service,cn=Windows NT,cn=Services,cn=Configuration,
DC=<Forest-Root-Domain> container b.
Grant this group Delete Child
permissions to create
Query-Policy objects in the
cn=Query-Policies,cn=Directory Service,cn=Windows
NT,cn=Services,cn=Configuration, DC=<Forest-Root-Domain>
container. c.
Grant this group Write All Properties
permissions on
Query-Policy objects in the
cn=Query-Policies,cn=Directory Service,cn=Windows
NT,cn=Services,cn=Configuration, DC=<Forest-Root-Domain>
container. (Inheritable
permissions) d.
To perform advanced LDAP policy
administrative tasks such as affecting the LDAP query policies associated with a
specific domain controller or with all domain controllers in a specific site,
additional permissions might be required - to grant these permissions refer to
"Appendix A: Active Directory Administrative Tasks. It's great
to have all this direction, except I have no freaking clue how to grant these
extended rights. What tool do I use? How do I make this work?
Did I miss something in the "Best Practices fo Delegating
Active Directory Administration" document? If so, please direct me to the
page that tells me how to physically do this. Any help on this will be
greatly appreciated because I am completely in the
dark!
|
Title: Extended Rights
- [ActiveDir] Extended Rights Kent Maxwell
- RE: [ActiveDir] Extended Rights Nicolas Blank
- RE: [ActiveDir] Extended Rights Kern, Tom
- RE: [ActiveDir] Extended Rights GRILLENMEIER,GUIDO (HP-Germany,ex1)
