Plan for delegated administration
The main reason for delegation of administration is to give specific administrative rights to specific users or groups.
Delegation can be applied within AD DS by configuring access control entries on organisational units; this can be accomplished using the GUI (dsa.msc) or dsacls.exe or PowerShell Active Directory modules. Delegation can be configured using a wizard, this allows administrators to quickly apply delegation for common tasks. Alternatively you can configure the OU ACEs manually to create more granular and customised delegation. I’ve blogged previously about AD DS delegation see here Existing delegation configuration can be time consuming to troubleshoot if the delegation hasn’t been defined within a change control system for example. In this scenario you can reset the delegated settings to default. Use dsacls.exe “OU=[Name],DC=[Domain],DC=[Tld]” /resetDefaultDACL or Click default within the advanced security settings of a particular OU you wish to reset.
Group membership delegation
Group membership delegation can be configured by assigning the managed by attribute; In Windows Server 2008 this can be a group, Windows Server 2003 only allows users or contacts.
This allows a computer to impersonate a user to access resources. When the domain and forest functional level are at least Windows Server 2003 then the computer objects have a delegation tab; this allows you to trust the computer for delegation to any service using kerberos or specific services; selecting specific services is known as constrained delegation. An account which has been marked sensitive cannot be delegated; this should be the configuration applied to administrative accounts.
Role-based Access Control (RBAC)
Microsoft products such as Exchange Server, SQL Server and System Center Operations Manager 2007 R2 have RBAC; this allows you to assign administrative privileges within an application to standard Windows accounts.
Microsoft IIS 7 and 7.5 have configuration delegation functionality allowing a web site owner or application owner to have full control over their portion of the web server within reducing security.
Authorisation Manager allows developers to create roles and scopes for their applications; applying the principles of role-based access control. Authorisation Manager can use SQL Server databases, AD DS, AD LDS or XML to store the roles, scopes, role membership etc.