Delegation the proper way

This article describes my battle tested process for setting up delegation.
I use this process anywhere that I need to setup delegation.

In the article I will show how it applies to Active Directory

This delegation model consists of Delegation Groups and Role Groups. These groups are explained in the following sections.

delegate.pngDelegation Group

Delegation groups are named according to the permission that they grant. The permission that it grants can be, but is not limited to, AD permission to do a specific task.

 

Characteristics

  • Can only contain Role Groups
  • Cannot be members of any groups

Some examples of a built-in Delegation Group

  • Domain Administrators
  • Account Operators

Some examples of a custom Delegation Group

  • Password Reset
  • Manage Group Memberships

 

roles.pngRole Group

Role groups should be created based on a specific role that group of people fulfil.

 

These groups are used to add delegation permissions to via delegation groups.This is done by adding the Role group as a member of the delegation groups for the permissions required.

It is worth noting that this delegation is not limited to AD permissions.

 

If the Help Desk supports SharePoint environment, a delegation group with certain SharePoint rights can be created and assigned to the Help Desk role group. This way when a new Help Desk employee starts, it is only required to add a user account to the
Help Desk Role group.

 

Characteristics

  • Can only contain privileged user accounts
  • Can only be member of Delegation Groups

Some examples of a Role Group

  • Help Desk
  • Server Administrators

Benefits

  • No delegation against individual user accounts
  • Reuse of Delegation Groups
  • Easy to manage
  • Quick to determine permissions
  • Uncomplicated to assign correct permissions to an individual based on their function

 

Real world example

Typically help desks will be given delegated permissions to reset passwords. Instead of delegating permissions to various individuals or directly to the help desk group, the following should be done:

 

  1. Create an intermediate group, DG-ResetPassword in this example. This is the delegation group.
  2. Delegate the Reset Password permission to the DG-ResetPassword group.
  3. Add the help desk group role group, RG-HelpDesk in this example, to the DG-ResetPassword delegation group

1.jpg

By utilising this delegation process, all delegation done to role groups is easily visible from the Member Of tab. In the example below, it is easy to see that the role group for Help Desk, RG-HelpDesk, have join domain,
modify group and reset password rights.

 

2.jpgIt also enables the reuse of delegation groups. In the example below, the same delegation group used for Help Desk,
DG-JoinDomain, can be used to assign join domain rights to the Workstation Technician group.

 

3.jpgThe reverse is also true. It is quick to see which groups have a particular permission. In the example below, looking
at the members of the DG-JoinDomain delegation group, it shows which role groups, RG-HelpDesk and RG-WorkstationTechnician in this case, have permissions to join computers to the domain.

 

4.jpg