No. Once a user becomes member of a high privileged group, there is no technical restriction. Because of this, she or him can create/change/delete any other administrator. This is the problem with big AD implementations, which did not consider a […]
Over a decade of expertise in Active Directory, infrastructure, and security. Deep dive into AD Tier Model, RBAC and PowerShell automation
Questions raised on the AD Delegation model.
The Delegation Model is to grant controlled and specific rights to administrators, without using privileged groups as Domain Admins.
This section will make reference to all topics of the model.
No. Once a user becomes member of a high privileged group, there is no technical restriction. Because of this, she or him can create/change/delete any other administrator. This is the problem with big AD implementations, which did not consider a […]
Can we delegate “exclusive” administrator tasks? Yes. Active Directory is extremely granular when referred to delegations. We can delegate the task to manage: full partition certain kind of objects within a given partition attribute sets for an object specific attributes
Can we have Split-Delegation? Yes. A split-delegation is when 2 different teams have similar rights within the same object. This is very common and recommended to split loads within teams. A very common scenario is: the user provisioning team is […]
What it should be delegated? Same as the previous question, quite hard to individually response. The simplest, easiest, most common and worst thing we can do is to assign Administrator rights. We must completely ignore this approach, as is […]
To who do I need to delegate? Well, this is a very generic and difficult question to answer, or at least it is without having several more following it. We need to identify any person who is making a […]
Do I need to delegate authority? YES. 99% of AD implementations do need to delegate authority, even if a small team is administering the environment. The exception to the rule might be when ONLY 1 administrator is in place and […]