In the Building Admin Area (Tier0) we created most of the objects required on our Admin Area (Tier0). Now we need delegate Admin Area (Tier0) by configuring all required permissions and rights based on the roles defined in our Delegation Mode.
- Semi-Privileged User Management (UM)
- Semi-Privileged Group Management (GM)
- Privileged User Management (PUM)
- Privileged Group Management (PGM)
- Privileged Infrastructure Services Management (PSIM)
- Privileged Access Workstation Management (PAWM)
- Privileged Service Account Management (PSAM)
- Group Policy Management
- Directory Replication
- Infrastructure Administration
- AD Administration
Semi-Privileged User Management (UM)
UM group (User Management) will be able to create and modify Semi-Privileged user objects within this container, but will not have rights over any Privileged user.
Once more a wrapper function is needed. EguibarIT.Delegation PowerShell Module provides CMDlets to delegate User creation(Set-AdAclCreateDeleteUser), Reset user password (Set-AdAclResetUserPassword), Change User Password (Set-AdAclChangeUserPassword), Enable, Disable User (Set-AdAclEnableDisableUser), Unlock User (Set-AdAclUnlockUser), manage Account Restrictions (Set-AdAclUserAccountRestriction) & UserLogonInfo ( Set-AdAclUserLogonInfo). All these CMDlets are wrapped into a single CMDlet called Set-AdAclDelegateUserAdmin. A similar wrapper and supporting functions exist for GAL.
1 2 3 4 5 6 7 8 9 | # Delegation to ADMIN area (Tier 0) Write-Verbose -Message 'Delegate Admin Area...' # Computer objects within this ares MUST have read access, otherwise GPO will not apply # UM - Semi-Privileged User Management Set-AdAclDelegateUserAdmin -Group $SL_UM.SamAccountName -LDAPpath $ItAdminAccountsOuDn Set-AdAclDelegateGalAdmin -Group $SL_UM.SamAccountName -LDAPpath $ItAdminAccountsOuDn |
Semi-Privileged Group Management (GM)
“PGM (Privileged Group Management)” group will be able to create and modify group objects within the groups container.
1 2 3 4 5 6 7 | # Delegation to ADMIN area (Tier 0) Write-Verbose -Message 'Delegate Admin Area...' # GM - Semi-Privileged Group Management Set-AdAclCreateDeleteGroup -Group $SL_GM.SamAccountName -LDAPPath $ItAdminGroupsOuDn Set-AdAclChangeGroup -Group $SL_GM.SamAccountName -LDAPPath $ItAdminGroupsOuDn |
Privileged User Management (PUM)
Only “PUM (Privileged User Management)” group will be able to modify Privileged user objects within this container.
1 2 3 4 5 6 7 8 9 | # Delegation to ADMIN area (Tier 0) Write-Verbose -Message 'Delegate Admin Area...' # Computer objects within this ares MUST have read access, otherwise GPO will not apply # PUM - Privileged User Management Set-AdAclDelegateUserAdmin -Group $SL_PUM.SamAccountName -LDAPpath $ItAdminAccountsOuDn Set-AdAclDelegateGalAdmin -Group $SL_PUM.SamAccountName -LDAPpath $ItAdminAccountsOuDn |
Privileged Group Management (PGM)
1 2 3 4 5 6 7 8 9 10 11 | # Delegation to ADMIN area (Tier 0) Write-Verbose -Message 'Delegate Admin Area...' # PGM - Privileged Group Management # Create/Delete Groups Set-AdAclCreateDeleteGroup -Group $SL_PGM.SamAccountName -LDAPPath $ItPrivGroupsOUDn Set-AdAclCreateDeleteGroup -Group $SL_PGM.SamAccountName -LDAPPath $ItRightsOuDn # Change Group Properties Set-AdAclChangeGroup -Group $SL_PGM.SamAccountName -LDAPPath $ItPrivGroupsOUDn Set-AdAclChangeGroup -Group $SL_PGM.SamAccountName -LDAPPath $ItRightsOuDn |
Privileged Infrastructure Services Management (PSIM)
Take patch management as an example. All servers and computers within “Admin Area”/Tier0 must be regularly patched, but those cannot share the same patching solution as for regular PCs or servers. The patching service must be configured exclusively for this Area/Tier, so all AD objects required for this purpose should be within Admin Area, having the infrastructure part (as it can be the computer object for the patching server) hosted here.
Only “Privileged Infrastructure Services Management” group can create and delete computer objects within this container. Here, once more, got the requirement of a wrapper function. In order to delegate management of a computer, we need to Create/Delete Computers (Set-AdAclCreateDeleteComputer), Reset Computer Password (Set-AdAclResetComputerPassword), Change Computer Password (Set-AdAclChangeComputerPassword), Validated write to DNS host name (Set-AdAclValidateWriteDnsHostName), Validated write to SPN (Set-AdAclValidateWriteSPN), Change Computer Account Restriction (Set-AdAclComputerAccountRestriction), Change DNS Hostname Info (Set-AdAclDnsInfo), Change MS TerminalServices info (Set-AdAclMsTsGatewayInfo), Access to BitLocker & TMP info (Set-AdAclBitLockerTPM), Grant the right to delete computers from default container. Move Computers (Set-DeleteOnlyComputer) and Set LAPS (Set-AdAclLaps). This function is ideal for any container which deals with Computer objects.
1 2 3 4 5 6 7 | # PISM - Privileged Infrastructure Services Management # Create/Delete Computers Set-AdAclDelegateComputerAdmin -Group $SL_PISM.SamAccountName -LDAPPath $ItInfraT0OuDn -QuarantineDN $ItQuarantineOuDn Set-AdAclDelegateComputerAdmin -Group $SL_PISM.SamAccountName -LDAPPath $ItInfraT1OuDn -QuarantineDN $ItQuarantineOuDn Set-AdAclDelegateComputerAdmin -Group $SL_PISM.SamAccountName -LDAPPath $ItInfraT2OuDn -QuarantineDN $ItQuarantineOuDn Set-AdAclDelegateComputerAdmin -Group $SL_PISM.SamAccountName -LDAPPath $ItInfraStagingOuDn -QuarantineDN $ItQuarantineOuDn |
Privileged Access Workstation Management (PAWM)
As part of the administration separation between normal users and admin users, a secure host, or “Privileged Access Workstation”, must exist in order to fully separate a standard computer from the specific privileged machine used for domain privileged maintenance. Each of the defined tiers within this model (Admin/Tier0, Servers/Tier1 & Sites/Tier2) will have its own set of PAWs for administration; is not permitted to share PAWs between Areas/Tiers.
Only “PAW Management” group will be able to create and modify computer objects within this container, and this team is responsible for the maintenance of the mentioned assets. Those assets will be organized on their own sub-ou depending on which tier are assigned to.
As we are speaking of a “Computer” container, the Set-AdAclDelegateComputerAdmin wrapper function can be used.
1 2 3 4 5 6 | # PAWM - Privileged Access Workstation Management Set-AdAclDelegateComputerAdmin -Group $SL_PAWM.SamAccountName -LDAPPath $ItPawT0OuDn -QuarantineDN $ItQuarantineOuDn Set-AdAclDelegateComputerAdmin -Group $SL_PAWM.SamAccountName -LDAPPath $ItPawT1OuDn -QuarantineDN $ItQuarantineOuDn Set-AdAclDelegateComputerAdmin -Group $SL_PAWM.SamAccountName -LDAPPath $ItPawT2OuDn -QuarantineDN $ItQuarantineOuDn Set-AdAclDelegateComputerAdmin -Group $SL_PAWM.SamAccountName -LDAPPath $ItPawStagingOuDn -QuarantineDN $ItQuarantineOuDn |
Privileged Service Account Management (PSAM)
Service account is a security principal with privileges above normal and special granted rights, as it may be the “Logon as a Batch Process” or “Logon as a Service” or “Interact as Part of the OS” but not exclusively; these rights are quite common for Service Accounts, and is used by applications to run properly and execute privileged routines or windows services without user intervention.
Service Accounts are un-personal, so nobody is supposed to choose a password to be used, except for the person who created the Service Account; this is the reason to use a strong convention for passwords of Service Accounts.
A Service Account must:
- Follow the corporate naming conventions
- Have all (within possible) attributes completed (First Name, Last Name, Address, etc.)
- Reside within the corresponding AD container (Service Accounts OU)
- Set the “employeeType” attribute to ServiceAccount
- Use the less privileges as possible
- Be jealously keep
- Use a Very Strong Password
- Not contain name, last name, userID or any other attribute (full or partial) within the password
Following the delegation model, a Security Global Group must be created for each of the tiers, following current naming conventions, in the corresponding container (within the administrative OU tree, on the group container OU) and all service accounts must be part of their corresponding group. If a service account is not member of any of these groups, the required service extended rights (Logon as a Service & Logon as a Batch Job) will not be granted. On the other hand, any user object placed inside of any of these containers will become a Service Account. Only “Privileged ServiceAccount Management” group will be able to create and modify user objects, GroupManagedServiceAccounts and ManagedServiceAccounts.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | # PSAM - Privileged Service Account Management - Create/Delete Managed Service Accounts & Standard user service accounts # Managed Service Accounts "Default Container" $parameters = @{ Group = $SL_PSAM.SamAccountName LDAPPath = ('CN=Managed Service Accounts,{0}' -f $AdDn) } Set-AdAclCreateDeleteGMSA @parameters Set-AdAclCreateDeleteMSA @parameters # TIER 0 $parameters = @{ Group = $SL_PSAM.SamAccountName LDAPPath = $ItSAT0OuDn } Set-AdAclCreateDeleteGMSA @parameters Set-AdAclCreateDeleteMSA @parameters Set-AdAclCreateDeleteUser @parameters Set-AdAclResetUserPassword @parameters Set-AdAclChangeUserPassword @parameters Set-AdAclUserGroupMembership @parameters Set-AdAclUserAccountRestriction @parameters Set-AdAclUserLogonInfo @parameters # TIER 1 $parameters = @{ Group = $SL_PSAM.SamAccountName LDAPPath = $ItSAT1OuDn } Set-AdAclCreateDeleteGMSA @parameters Set-AdAclCreateDeleteMSA @parameters Set-AdAclCreateDeleteUser @parameters Set-AdAclResetUserPassword @parameters Set-AdAclChangeUserPassword @parameters Set-AdAclUserGroupMembership @parameters Set-AdAclUserAccountRestriction @parameters Set-AdAclUserLogonInfo @parameters # TIER 2 $parameters = @{ Group = $SL_PSAM.SamAccountName LDAPPath = $ItSAT2OuDn } Set-AdAclCreateDeleteGMSA @parameters Set-AdAclCreateDeleteMSA @parameters Set-AdAclCreateDeleteUser @parameters Set-AdAclResetUserPassword @parameters Set-AdAclChangeUserPassword @parameters Set-AdAclUserGroupMembership @parameters Set-AdAclUserAccountRestriction @parameters Set-AdAclUserLogonInfo @parameters |
Group Policy Management
This container is where all the Group Policy Objects (GPO) reside, no matter to which Tier/Area these objects belong to. By default, the domain Administrator is the owner of these container, thus having full control over all contained objects.
Because of the implied rights the Administration account has, having a solely delegated GPO rights to a group is a must. The GPO Admin group has these rights delegated, acting as a full administrator only within the GPC.
This role is the equivalent as the built-in Administrator but limited only to the mentioned container. This role is able to:
- Create/Delete GPO
- Create/Delete GPLinks
- Manage GPOptions (Inheritance)
1 2 3 4 5 6 7 | # GPO Admins # Create/Delete GPOs Set-AdAclCreateDeleteGPO -Group $SL_GpoAdminRight.SamAccountName # Link existing GPOs to OUs Set-AdAclLinkGPO -Group $SL_GpoAdminRight.SamAccountName # Change GPO options Set-AdAclGPoption -Group $SL_GpoAdminRight.SamAccountName |
Directory Replication
1 2 | # Delegate Directory Replication Rights Set-AdDirectoryReplication -Group $SL_DirReplRight.SamAccountName |
Infrastructure Administration
This group is getting additional permissions within AD. For example, this group is the ONLY group having permissions to Create/Delete Organizational Units, Sites, Subnets, SiteLinks or Transfer FSMO roles.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | # Infrastructure Admins # Organizational Units at domain level Set-AdAclCreateDeleteOU -Group $SL_InfraRight.SamAccountName -LDAPPath $AdDn # Organizational Units at Admin area Set-AdAclCreateDeleteOU -Group $SL_InfraRight.SamAccountName -LDAPPath $ItAdminOuDn # Subnet Configuration Container # Create/Delete Subnet Set-AdAclCreateDeleteSubnet -Group $SL_InfraRight.SamAccountName # Site Configuration Container # Create/Delete Sites Set-AdAclCreateDeleteSite -Group $SL_InfraRight.SamAccountName # Site-Link Configuration Container # Create/Delete Site-Link Set-AdAclCreateDeleteSiteLink -Group $SL_InfraRight.SamAccountName # Transfer FSMO roles Set-AdAclFSMOtransfer -Group $SL_TransferFSMOright.SamAccountName -FSMOroles 'Schema', 'Infrastructure', 'DomainNaming', 'RID', 'PDC' |
AD Administration
This group has the permissions to change many of the existing objects, but create/delete is reserved for infrastructure admins.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | # AD Admins # Domain Controllers management Set-AdAclDelegateComputerAdmin -Group $SL_AdRight.SamAccountName -LDAPPath $DCsOuDn -QuarantineDN $ItQuarantineOuDn # Delete computers from default container Set-DeleteOnlyComputer -Group $SL_AdRight.SamAccountName -LDAPPath $ItQuarantineOuDn # Subnet Configuration Container| # Change Subnet Set-AdAclChangeSubnet -Group $SL_AdRight.SamAccountName # Site Configuration Container # Change Site Set-AdAclChangeSite -Group $SL_AdRight.SamAccountName # Site-Link Configuration Container # Change SiteLink Set-AdAclChangeSiteLink -Group $SL_AdRight.SamAccountName |
After completing the delegation, we can Configure Admin Area (Tier0).
