No. Once a user becomes member of a high privileged group, there is no technical restriction. Because of this, she or him can create/change/delete any other administrator. This is the problem with big AD implementations, which did not consider a proper Delegation model (or a 3rd party tool which might provide this functionality). Restricting Privileged Users is not possible. This […]
Group: Delegation Model
Questions raised on the AD Delegation model.
The Delegation Model is to grant controlled and specific rights to administrators, without using privileged groups as Domain Admins.
This section will make reference to all topics of the model.
Can we delegate “exclusive” administrator tasks?
Can we delegate “exclusive” administrator tasks? Yes. Active Directory is extremely granular when referred to delegations. We can delegate the task to manage: full partition certain kind of objects within a given partition attribute sets for an object specific attributes
Can we have Split-Delegation?
Can we have Split-Delegation? Yes. A split-delegation is when 2 different teams have similar rights within the same object. This is very common and recommended to split loads within teams. A very common scenario is: the user provisioning team is in charge to create and delete users Service Desk team in charge to reset passwords and unblock user accounts Human […]
What it should be delegated?
What it should be delegated? Same as the previous question, quite hard to individually response. The simplest, easiest, most common and worst thing we can do is to assign Administrator rights. We must completely ignore this approach, as is not even an option. What we must identify, is what specific action happening on the directory, and if it matches […]
To who do I need to delegate?
To who do I need to delegate? Well, this is a very generic and difficult question to answer, or at least it is without having several more following it. We need to identify any person who is making a change within Active Directory, excluding of course typical standard changes as “Changing my own password”. In smaller scenarios a […]
Do I need to delegate authority?
Do I need to delegate authority? YES. 99% of AD implementations do need to delegate authority, even if a small team is administering the environment. The exception to the rule might be when ONLY 1 administrator is in place and he is solely using the physical AD console (Keyboard and Screen physically attached to the server within the server room) […]