Active Directory Cookbook Blog

Best Practices for Delegating Active Directory Administration Whitepaper 

The highly anticpiated Best Practices for Delegating Active Directory Administration Whitepaper is available now. I've only skimmed it so far, but it looks like a great introduction to delegating access in AD. Undoubtedly it is the most thorough treatment of the subject so far.

Contents ii
Introduction 1
Abstract 1
Scope 1
Intended Audience 1

Chapter 1: Delegation of Administration Overview 4
Business Case for Delegating Administration 4
Benefits of Delegation 5
Delegation at Work 6
Active Directory Management 8
Creating a Successful Active Directory Delegation Model 11

Chapter 2: How Delegation Works in Active Directory 18
Overview 18
Active Directory Administrative Tasks 20
Active Directory Logical Structure and Data Storage 21
Delegation and Access Control 25

Chapter 3: Delegating Service Management 46
Level-of-Privilege Considerations in Delegating Service Management 47
Recommended Approach to Service Management 48
Service Management Overview 49
Creating a Service Management Delegation Model 70
Implementing the Service Management Delegation Model 72
Maintaining the Service Management Delegation Model 75

Chapter 4: Delegating Data Management 78
Recommended Approach to Data Management 78
Understanding Data Management 79
Determining Data Management Stakeholder Needs 85
Creating the Data Management Delegation Model 86
Implementing Your Data Management Delegation Model 103
Maintaining Your Data Management Delegation Model 118
Case Study: A Delegation Scenario 123
Company Overview 123
Active Directory Infrastructure 125
Managing Contoso’s Active Directory Environment 129

# posted by Robbie (11/23/2003 11:18:34 PM)

Best Practices for Delegating Active Directory Administration Appendices 

The Appendices for the Delegating AD Administration is an excellent reference even if you don't read the whitepaper.

Here are the contents:

Appendix A: Active Directory Administrative Tasks 1
Appendix B: Default Active Directory Security Groups 43
Appendix C: Active Directory Standard Permissions 65
Appendix D: Active Directory Extended Rights 67
Appendix E: Active Directory Property Sets 87
Appendix F: Logon Rights and Privileges 97
Appendix G: Active Directory Delegation Tools 107
Appendix H: Active Directory Display Name Mappings 125
Appendix I: Default Container Hierarchy for Active Directory Partitions 173
Appendix J: Default Owners of Active Directory Objects 177
Appendix K: Default Settings in the Master Security Descriptor of the AdminSDHolder Object 179
Appendix L: Implementing Service Management Delegation Roles 185
Appendix M: Service Management Delegation Role Definitions 197
Appendix N: Default Active Directory Service Administrator Groups 203
Appendix O: Active Directory Delegation Wizard File 205

# posted by Robbie (11/23/2003 11:13:56 PM)

New Group Policy FAQ 

There is a new Group Policy FAQ posted to the activedir.org web site. Author: Matty Holland

# posted by Robbie (11/23/2003 11:07:33 PM)

Security at Microsoft 

This paper describes what the Microsoft Corporate Security Group does to prevent malicious or unauthorized use of digital assets at Microsoft.

# posted by Robbie (11/23/2003 11:06:12 PM)

NetPro Ships Directory Lockdown 3.0 

Directory Lockdown is a Active Directory security
monitoring and intrusion detection solution

# posted by Robbie (11/21/2003 01:12:16 AM)

VBScript or Perl? 

In my latest O'ReillyNet article, I discuss an issue that many Windows Sys Admins face.

# posted by Robbie (11/18/2003 10:41:49 PM)

MS KB Article of the Week: 322692 

HOW TO: Raise Domain and Forest Functional Levels in Windows Server 2003

Relevant AD Cookbook Recipes:
2.12, 2.13, 2.14

# posted by Robbie (11/18/2003 09:57:17 AM)

Moving users across domains requires targeting the RID Master 

Recently someone asked why their script was failing when trying to move a user to across domains. He was using the MoveHere method, but it was failing. The reason is that you have to target the RID masters in both domains when using the MoveHere method to do this. If you are moving objects within a domain, you can use a serverless bind.

Here is example code.

Relevant AD Cookbook Recipes:
4.18

# posted by Robbie (11/17/2003 05:40:22 PM)

Coming soon: AD Delegation of Control Whitepaper 

There has been a lot of buzz about the forthcoming "Delegation of Control" whitepaper that Microsoft is suppose to release near the end of November (approx Nov 25th). Several of the early reviewers of the paper have commented that it will be a worthwhile read for AD admins. Undoubtedly it will refer to the new dsrevoke.exe tool MS released just a couple of weeks ago.

# posted by Robbie (11/17/2003 04:59:55 PM)

Tool of the Week: redircmp.exe 

When a user joins a computer to an AD domain by using the Sytem applet or with the netdom command (without the /OU option), the computer account gets created in the default computers container (e.g., cn=Computers,dc=rallencorp,dc=com). The redircmp command lets you redirect the default computers container to another location in the directory tree. This tool comes with Windows Server 2003 and only works against a domain at the Windows Server 2003 functional level.

Type of tool:
Command-line

Where to find it:
%SystemRoot%\System32 on Windows Server 2003

Example:
c:\> redircmp "ou=Rallencorp Computers,dc=rallencorp,dc=com"

Relevant Active Directory Cookbook recipes:
8.12

# posted by Robbie (11/16/2003 06:58:18 PM)

News: Upgrade to Windows Server 2003 or wait? 

A recent news article talked about whether businesses should upgrade to Windows Server 2003 or not. As far as Active Directory goes, I spent a full chapter in Active Directory, 2nd Edition talking about this, but if I had to summarize it into a couple of bullet points, I'd say this:
  • if you are still running NT4, migrate asap
  • if you have a small to mid-size size AD deployment and you don't experience any problems, don't bother.
  • If you have a mid to large size AD deployment and have experienced any issues with AD (odds are you have), then you should seriously consider the upgrade.

    Why? Because it is pretty painless process. Fortunately, you can migrate at your own pace. Sure you have to update the schema, but that is what an extensible schema is for. There are a lot of new tools and features (some documented, some not) that can help out with day-to-day management of AD. If you can use your same hardware, then it is just a matter of adding to the workload of your already overburdened AD staff :-)

    # posted by Robbie (11/16/2003 06:45:06 PM)

    • Directory Experts Conference Spring 2004 

    If you are a senior AD administrator or developer and you have a lot to say on the topic of AD, submit a paper for the upcoming DEC Spring '04. I recommended that they start doing this a year or so back to give more people a shot at speaking at the conference. I spoke at the last 4 DECs and it was a great experience. The other speakers, as well as the attendees, have a very high level of expertise, which means everyone learns something. I do every time.

    # posted by Robbie (11/16/2003 12:24:07 PM)

    Disabling ALL anonymous access to AD 

    There was a recent post from someone about wanting to disable ALL anonymous access, including to the Root DSE. It is of course possible to disable anonymous access to AD in general (this behavior changed a bit in W3K3, see Recipe 14.3), but not to the Root DSE. At first, I thought anonymous access to the Root DSE was required per the LDAP v3 spec, but after further review, it doesn't say that anonymous access MUST be allowed. Most directory vendors I'm familiar with allow anonymous access to the Root DSE and it has always been like that with AD. I just checked an OpenLDAP server and you can restrict access to it by IP or user/group. I tried to see if I could set security on the AD RootDSE using ADSI Edit and LDP, but to no avail.

    This brings up an interesting question. Does allowing anonyous access to the RootDSE present a security risk? In my opinion, is could depending on the environment. If I had access to a company's intranet where AD was running, all I'd need is the name of a single AD domain controller and I could tell you a bit about the forest structure, whether they were running W2K or W2K3, and various other tidbits. I may even be able to map out the entire forest if I could figure out server naming conventions. I don't think this is so important when we talk about intranets, which are typically semi-secured, but the Root DSE would be a treasure chest of information if you are running AD in an outward facing role.

    Relevant AD Cookbook Recipes:
    4.1. Viewing the RootDSE
    14.3. Enabling anonymous LDAP access

    # posted by Robbie (11/16/2003 09:51:54 AM)

    New AD Tool: DSREVOKE.EXE 

    Microsoft just released a new tool called dsrevoke.exe. It allows you to search through the ACLs in a domain to find any occurrence of a particular security principal (e.g., user or group). You can also restrict the search to a particular OU (thankfully). When I first heard of the tool I thought: "cool, but I bet it is slow." It turns out that it is not that bad, especially if you target your search at a specific OU or container.

    Microsoft created this tool in response to repeated complaints from customers about the lack of an "undo" option for the Delegation of Control wizard. While dsrevoke doesn't quite fit that bill, it can help (using the /remove option).

    Here is the complete syntax for the command:

    Usage: dsrevoke /report|/remove [/domain:] [/username:]
    [/password:|*] [/root:]

    /report: Only reports the ACEs that have been set for the given
    principal on all domain and OU objects under root

    /remove: Reports and then removes (after confirmation) the aces
    for the given principal

    /domain: Dns OR Netbios name of domain
    (must be specified when is in domain other
    than default or if alternate credentials are provided)

    /username: Username if alternate credentials must be specified

    /password: * will prompt for password

    /root: Root OU to start search for ACEs. If not specified will
    default to the specified domain's default naming context (The
    root domain or OU must be specified using x500 format; if the
    dn must include spaces enclose the option in quotes,e.g. "/root:..")

    < securityprincipal > : Domain\User or Domain\Group for the security
    principal being looked up

    # posted by Robbie (11/15/2003 11:31:51 PM)

    Welcome to the Active Directory Cookbook blog! 

    I wanted to join all the blogging fun so I'm starting this weblog. Hopefully people will find it useful. I intend to cover all things AD.

    # posted by Robbie (11/15/2003 07:29:49 PM)

    This page is powered by Blogger. Isn't yours?