{"id":623,"date":"2006-08-10T09:17:00","date_gmt":"2006-08-10T09:17:00","guid":{"rendered":"http:\/\/markwilson.me.uk\/blog\/2006\/08\/delegation-of-active-directory.htm"},"modified":"2007-05-15T09:17:15","modified_gmt":"2007-05-15T08:17:15","slug":"delegation-of-active-directory","status":"publish","type":"post","link":"https:\/\/www.markwilson.co.uk\/blog\/2006\/08\/delegation-of-active-directory.htm","title":{"rendered":"Delegation of Active Directory administration (using Quest ActiveRoles Server)"},"content":{"rendered":"

Recently, I’ve been working with a client who has an extraordinarily high number of users with domain administrator rights (i.e. those who are members of the Domain Admins group). The problem is historic and they are in the process of moving from Windows NT to Active Directory (AD); whilst AD allows for delegation of control over objects (although best practice dictates that delegation occurs at organisational unit level), under NT the limit for delegation was the domain.<\/p>\n

In order to reduce the number of Domain Admins, I’ve been producing a delegation model for AD administration<\/a> that is intended to provide a pragmatic balance between the granular control that AD can provide and the access requirements of each support team, yet still remains realistic from a management perspective. One major issue is that, whilst Microsoft provides several-hundred pages of documentation and a delegation of control wizard, there are no native tools to keep track of the objects over which control has been delegated. Consequently it’s often necessary to resort to third party tools.<\/p>\n

One such tool is ActiveRoles Server<\/a> (ARS) from Quest Software<\/a>. Quest inherited this technology with their acquisition of Aelita Software<\/a> (they had previously inherited another product, now known as ActiveRoles Direct<\/a>, when they purchased FastLane Technologies<\/a>). Installed onto a Windows server (which should be secured as any domain controller would be), the current incarnation of the product, uses a SQL Server database for configuration data (rather than schema extensions as some previous products did) and publishes itself as a connection point object<\/a> within AD. The configuration database can be mirrored via SQL replication for redundancy, with one server acting as a publisher and one as a subscriber whilst the connection point model allows for load balancing between the two servers.<\/p>\n

In terms of management, ARS can be administered using a Microsoft management console (MMC) snap-in, a browser interface, or using AD services interface (ADSI). By default, ARS will bind to the first AD domain controller that it finds, although this can be overridden in the management toolset.<\/p>\n

Despite not extending the AD schema, ARS allows additional attributes to be stored for an object. These attributes are placed within the ARS configuration database and can be used for provisioning (e.g. conditional filtering on attributes) or for storing additional information on a user (e.g. staff ID number). Propagation of directory data to other LDAP directories and Microsoft Identity Integration Server<\/a> (MIIS) are supported via Quick Connect for ActiveRoles Server<\/a> and Unix support can be provided using through a support pack for Vintela Authentication Services<\/a>. ARS can also expose attributes that are not normally visible in the standard Active Directory Users and Computers MMC snap-in.<\/p>\n

In order to allow for user rights to be elevated as required, user access is proxied via the ARS service account, which should be given the highest level of permissions that will be allowed (e.g. Domain Admins). This means that all access is via ARS, allowing for auditing and reporting of rights use. Quest’s recommendation is that users are not assigned native rights within Active Directory (beyond the standard read-only permissions given to an authenticated user). In this way, all rights can be managed via ARS (otherwise privileged users could circumvent ARS, avoiding any auditing of their actions); however there is also an option for ARS-delegated rights to be propagated to Active Directory if required.<\/p>\n

Some ARS terminology includes:<\/p>\n