The world's most trusted forum on Active Directory Security
I am interested in learning if there are any security risks associated with with delegating administration of an organizational unit. Our company is expanding and we are in the midst of setting up an office in another city.
We anticipate about 30 ought people to be working in this branch, and local management there has requested that an on-site admin be allowed to manage all locally based domain user accounts and computers.
We are thus thinking of creating a new OU for this city and delegating Full Control over the OU to the local admin. Our thinking is that doing so would allow them the ability to manage all the domain user accounts and computers in that OU.
Should this be alright, or should we be delegating administration more precisely (i.e. delegate only individual tasks), or should we be doing something else in addition to ensure that any security risks are minimized.
I would be interested in your thoughts on this issue.
Thank you in advance.
My little blog on Active Directory Delegation Tools
The security risks associated with delegating administration of an organizational unit range from a risk to the compromise of all accounts, groups and computers stored in the OU to the compromise of the entire Active Directory if the OU happens to contains Domain Admin aco****s, or a domain admin's workstation or any of the default admin groups.
In general, the risk is that if someone misuses their delegated authority, or if someone compromises the account of a delegated administrator to login as that delegated admin and then misuse his power, then all objects in that OU on which that delegated admin has access can be compromised.
For example, a disgruntled delegated admin could reset the password of any user in the OU to login as the user, or he/she could modify the membership of any group in that OU to subsequently grant or deny anyone he wants access to all IT resources protected by that group, or he could modify the Group Policy being pushed out to all computers in the OU to basically compromise the computers veyr quickly.
Delegation of administration is a powerful feature and it should certainly be used because you want to have as few Domain Admins as possible, but you should also be very careful when delegating administration to ensure that only those people whom you wish to delegate access to are in fact delegated access.
Ideally, you should also verify your delegations at least once a fortnight.
My blog on How to Audit and Report Security in Active Directory
Thank you for sharing your thoughts. They are certainly helpful.
We will certainly be very careful in ensuring that we try to delegate administrative access very carefully in our Active Directory. Luckily, with Active Directory its easy to delegate access very precisely.
One question I have for you is regarding your suggestion to verify our delegations. I was not able to find any way in Active Directory to verify delegations. I even looked at the Advanced features but I could not find any Verify Delegations Wizard or tool in Active Directory. Am I missing something?
How do I verify delegations in Active Directory?
Thank you for your continued assistance.
I would recommend taking a look at this article. It may be just what you're looking for.
We too faced this problem and for the longest time were using dsacls and other tools to try and verify delegations but that was quite painful. We then came across this tool, and it has been quite helpful in helping us verify and audit delegated access rights in Active Directory.
Good luck to you.
Thank you very much. In the course of trying to figure out who is delegated what access in our Active Directory domain, I learnt alot about the difficulties involved in doing this, and have also shared what I learnt (i.e. what the difficulties were, and how we solved the problem) here.
Basically, it was not as easy as we thought it might be (i.e. finding out who has what permissions), and although it would have taken us a lot of effort to do this ourselves, that tool you pointed us ended up saving us a lot of effort, so I just wanted to thank you for your input.