Planning Distributed Security |
The delegation of administrative tasks is a practical necessity in a Windows 2000 enterprise environment. It is common to delegate authority not only to members of the IT group but to human resources personnel and various managers for tasks related to their duties. Delegation distributes the administrator's workload without granting sweeping privileges to every assistant. This is an expression of the security concept of "principle of least privilege," that is, granting only the permissions necessary for the task.
Through various means, Windows 2000 allows you to delegate to groups or individuals a prescribed degree of control over a limited set of objects. The only prerequisite is that the appropriate delegation elements (users, groups, Group Policy objects, files, directories, and so forth) must be in place before delegation can be performed.
Windows 2000 supports delegation of administrative authority through various features, including those listed in the following sections. (Note that some tasks require domain administrator privileges and cannot be delegated.)
These features are described previously in this chapter, and form the mechanisms for the features described in the following paragraphs.
Windows 2000 has predefined security groups with special permissions already delegated to each group. Open the Active Directory Users and Computers snap-in to MMC. On the View menu, select Advanced Features. The predefined security groups are in the Builtin and Users folders.
To directly delegate control of one of these groups, open the property sheet of the group and click the Security tab. Add the group's manager to the access control list and check the appropriate privileges.
Open the Active Directory Sites and Services snap-in to MMC. Right-click an organizational unit and select Delegate Control. This wizard sets up user group permissions to administer specific sites and services. An example would be the right to create new remote access accounts.
Open the Active Directory Users and Computers snap-in to MMC. Right-click an organizational unit and select Delegate Control. This wizard sets up user group permissions to administer organizational units containing computers and user groups. An example would be the delegated right to create new user accounts.
Delegating administration via Group Policy involves the following three tasks, which can be performed together or separately, as your situation requires:
These tasks are described in more depth in "Defining Client Administration and Configuration Standards" in this book.