ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


ActiveDirSec.Org -> General Active Directory Topics -> Are there any delegation enhancements in Windows Server 2008?
Post Info TOPIC: Are there any delegation enhancements in Windows Server 2008?
Abdul


Newbie

Status: Offline
Posts: 3
Date: May 19, 2011
Are there any delegation enhancements in Windows Server 2008?
 
 

Hi All. I would like to know if there are any delegation related enhancements in Windows Server 2008 Active Directory.

We have a medium sized Active Directory deployment, all Windows Server 2003,  and over the years we done a fiar amount of administrative delegation in our environment, predominantly related to account and group management in our OUs.

The problem is that while Active Directory is easy very easy to delegate access quite precisely, its not half as easy to find out who is delegated what access. As a result, while we have quite a few delegations implemented, we're not sure we know who is delegated what access cry.gif .

It is turning out to be very difficult and time-consuming to try and find this out on every single object in our Active Directory, so we would like to know if there are any enhancements in Windows Server 2008 AD in this area?

If so, I would like to recommend to my management to consider moving to Windows Server 2008. If not, then I'm afraid we're stuck with a huge problem, that really is one that Microsoft ought to make easier to solve for us.

Your input is appreciated.



__________________
Nicolas


Newbie

Status: Offline
Posts: 2
Date: Jun 15, 2011
 
 

Hi Abdul,

I don't think there are any enhancements in Windows Server 2008 that make finding out who is truly delegated what access in Active Directory, easy.

In fact, I think the absence of this ability is one of the biggest deficiencies in Active Directory, because it leaves us all in the dark as to knowing who really has what access in Active Directory.

It seems like Microsoft did an awesome job at making it so easy to precisely delegate administrative access, but completely missed the other side of the coin, which is to make it even a little easy to find out who is really delegated what access.

I mean, sure Microsoft offers the Effective Permissions Tab but Microsoft also readily concedes that this cannot be relied upon as it is not completely accurate. Now, when it comes to security, what good is partially accurate? IT admins need fully accurate insight, not partially accurate guesses.

There are so many companies that use Active Directory, and I'm sure they've all been delegating access in Active Directory since its been around, so I wonder how they must be finding out who is really delegated what access.

It is rather unfortunate that such an important capability is completely absent in Active Directory.

Nic++



__________________
Bond: There’s a name to die for! (Die Another Day)
AaronC


Member

Status: Offline
Posts: 7
Date: Jun 18, 2011
 
 

Hi Abdul,

I'm not sure if  this can be counted as a delegation enhancement, but Microsoft introduced a new Protection from Accidental Deletion feature that basically helps us not shoot ourselves in the foot by accidentally deleting OUs and user accounts etc.

I suppose one could call it a delegation enhancement although in reality that would be stretching it. I just thought I'd mention it as it is a new feature in Windows Server 2008.

Aaron.

 



__________________
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.
ActiveDirSec.Org -> General Active Directory Topics -> Are there any delegation enhancements in Windows Server 2008?
Post to Facebook Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me