The world's most trusted forum on Active Directory Security
Hi All. I would like to know if there are any delegation related enhancements in Windows Server 2008 Active Directory.
We have a medium sized Active Directory deployment, all Windows Server 2003, and over the years we done a fiar amount of administrative delegation in our environment, predominantly related to account and group management in our OUs.
The problem is that while Active Directory is easy very easy to delegate access quite precisely, its not half as easy to find out who is delegated what access. As a result, while we have quite a few delegations implemented, we're not sure we know who is delegated what access .
It is turning out to be very difficult and time-consuming to try and find this out on every single object in our Active Directory, so we would like to know if there are any enhancements in Windows Server 2008 AD in this area?
If so, I would like to recommend to my management to consider moving to Windows Server 2008. If not, then I'm afraid we're stuck with a huge problem, that really is one that Microsoft ought to make easier to solve for us.
Your input is appreciated.
My little blog on Active Directory Delegation Tools
I don't think there are any enhancements in Windows Server 2008 that make finding out who is truly delegated what access in Active Directory, easy.
In fact, I think the absence of this ability is one of the biggest deficiencies in Active Directory, because it leaves us all in the dark as to knowing who really has what access in Active Directory.
It seems like Microsoft did an awesome job at making it so easy to precisely delegate administrative access, but completely missed the other side of the coin, which is to make it even a little easy to find out who is really delegated what access.
I mean, sure Microsoft offers the Effective Permissions Tab but Microsoft also readily concedes that this cannot be relied upon as it is not completely accurate. Now, when it comes to security, what good is partially accurate? IT admins need fully accurate insight, not partially accurate guesses.
There are so many companies that use Active Directory, and I'm sure they've all been delegating access in Active Directory since its been around, so I wonder how they must be finding out who is really delegated what access.
It is rather unfortunate that such an important capability is completely absent in Active Directory.
I'm not sure if this can be counted as a delegation enhancement, but Microsoft introduced a new Protection from Accidental Deletion feature that basically helps us not shoot ourselves in the foot by accidentally deleting OUs and user accounts etc.
I suppose one could call it a delegation enhancement although in reality that would be stretching it. I just thought I'd mention it as it is a new feature in Windows Server 2008.
You're very right in pointing out that Microsoft did an awesome job at making it so easy to precisely delegate administrative access, but completely missed the other side of the coin, which is to make it even a little easy to find out who is really delegated what access.
You are also correct that the Effective Permissions capability in Active Directory has many accuracy issues and thus cannot be relied upon.
One of Microsoft's biggest strengths is its HUGE partner ecosystem, which consists of thousands of organizations across the world, and it is this partner ecosystem that helps Microsoft's customers fulfill deficiencies in Microosoft's offerings.
In regards to the issue of Active Directory not offering the ability to find out Who is Delegated What Access in Active Directory or who has what Effective Permissions in Active Directory, one of Microsoft's partners have delivered on this ability and solved this important problem for all of Microsoft's customers.
The name of this partner is Paramount Defenses, and the name of their solution is called Gold Finger for Active Directory. Microsoft has endorsed their product and I believe even Microsoft IT uses their solution.
Microsoft is a good company, and while its products may not always be perfect, its partner ecosystem is very good at fulfilling its deficiencies.