This article describes my battle tested process for setting up delegation.
I use this process anywhere that I need to setup delegation.
In the article I will show how it applies to Active Directory
This delegation model consists of Delegation Groups and Role Groups. These groups are explained in the following sections.
Delegation Group
Delegation groups are named according to the permission that they grant. The permission that it grants can be, but is not limited to, AD permission to do a specific task.
Characteristics
- Can only contain Role Groups
- Cannot be members of any groups
Some examples of a built-in Delegation Group
- Domain Administrators
- Account Operators
Some examples of a custom Delegation Group
- Password Reset
- Manage Group Memberships
Role Group
Role groups should be created based on a specific role that group of people fulfil.
These groups are used to add delegation permissions to via delegation groups.This is done by adding the Role group as a member of the delegation groups for the permissions required.
It is worth noting that this delegation is not limited to AD permissions.
If the Help Desk supports SharePoint environment, a delegation group with certain SharePoint rights can be created and assigned to the Help Desk role group. This way when a new Help Desk employee starts, it is only required to add a user account to the
Help Desk Role group.
Characteristics
- Can only contain privileged user accounts
- Can only be member of Delegation Groups
Some examples of a Role Group
- Help Desk
- Server Administrators
Benefits
- No delegation against individual user accounts
- Reuse of Delegation Groups
- Easy to manage
- Quick to determine permissions
- Uncomplicated to assign correct permissions to an individual based on their function
Real world example
Typically help desks will be given delegated permissions to reset passwords. Instead of delegating permissions to various individuals or directly to the help desk group, the following should be done:
- Create an intermediate group, DG-ResetPassword in this example. This is the delegation group.
- Delegate the Reset Password permission to the DG-ResetPassword group.
- Add the help desk group role group, RG-HelpDesk in this example, to the DG-ResetPassword delegation group
By utilising this delegation process, all delegation done to role groups is easily visible from the Member Of tab. In the example below, it is easy to see that the role group for Help Desk, RG-HelpDesk, have join domain,
modify group and reset password rights.
It also enables the reuse of delegation groups. In the example below, the same delegation group used for Help Desk,
DG-JoinDomain, can be used to assign join domain rights to the Workstation Technician group.
The reverse is also true. It is quick to see which groups have a particular permission. In the example below, looking
at the members of the DG-JoinDomain delegation group, it shows which role groups, RG-HelpDesk and RG-WorkstationTechnician in this case, have permissions to join computers to the domain.
