Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Controlling Delegation of Windows Servers and Active Directory

Derek Melber, Technical Evangelist for the AD Solutions team at ManageEngine and one of only 12 Microsoft Group Policy MVPs in the world, from his extensive knowledge in the Windows Active Directory security domain shares the various ways in Windows Servers to manage task delegations by Group / User / Permissions… And know the limitations too!

  • Login to see the comments

  • Be the first to like this

Controlling Delegation of Windows Servers and Active Directory

  1. 1. Click to edit Master title style Controlling Delegation of Windows Servers and Active Directory
  2. 2. 2 • Derek Melber, MCSE & MVP (Group Policy and AD) • derek@manageengine.com • Online Resources • ManageEngine “Active Directory” Blog • Group Policy Resource Kit – MSPress • Windows Security Audit Package Consulting • Active Directory/Windows Audit Program • Training for efficient auditing • Administration Consultant • Active Directory and Server Design/Security • Active Directory and Group Policy Design About Your Speaker
  3. 3. 3 • Delegation Defined • Delegation by Group Membership • Delegation by User Rights • Delegation by Permissions • Verifying Group Membership • Verifying User Rights • Verifying Permissions • Breaking Down Delegation Capabilities Agenda
  4. 4. 4 • Delegation is granting the ability to manage or control some or all of an object or computer • Install and manage software on a server • Control services on a server • Add a group • Change membership of a group • Add or remove a user • Reset the password for a user Delegation Defined
  5. 5. 5 • Default local groups • Administrators • Backup Operators • Power Users Delegation by Group Membership
  6. 6. 6 • Default domain groups • Domain Admins • Administrators • Cert Publishers • DHCP Administrators • DNSAdmins • Group Policy Creator Owners • Account Operators • Backup Operators Delegation by Group Membership
  7. 7. 7 • Default forest groups • Enterprise Admins • Schema Admins Delegation by Group Membership
  8. 8. 8 • Application-/Service-based Groups • Exchange • SQL • Sharepoint • VMWare • Etc. Delegation by Group Membership
  9. 9. 9 • Custom Admin Groups • These are groups that are created by administrators in Active Directory • These groups are granted elevated privileges • Group membership • User Rights • Permissions Delegation by Group Membership
  10. 10. 10 • Computer-wide configurations that control what users can do to/on that computer • User rights are unique from computer to computer • User rights are configured centrally using Group Policy • If not centrally, then local policy configures computer user rights • User rights override security permissions • i.e., if user has denial permission to a folder, can still back it up with Backup and Restore user right Delegation by User Rights
  11. 11. 11 • User Rights are granted using Group Policy • Domain Controllers • User Rights are specially configured by default • Default Domain Controller Policy contains default user right settings • Servers and Workstations • No user rights are applied using Group Policy • No user rights are applied additionally by joining domain • Local or domain-based Group Policy can alter/increase user right security Delegation by User Rights
  12. 12. 12 • High Privileged User Rights • Shut down the system • Force shutdown of remote system • Log on as a batch job • Log on as a service • Log on locally • Act as part of the OS • Backup and Restore files and directories • Generate security audits • Manage auditing and security log • Replace process-level token • Synchronize directory service data • Take ownership of files and other objects Delegation by User Rights
  13. 13. 13 • Permissions control what a user can do to an object • Objects include… • Files • Folders • Registry Keys • Printers • Services • AD Objects Delegation by Permissions
  14. 14. 14 • Permissions are also known as • Access control list • ACL • NTFS permissions • None of these are the same as Share permissions! Delegation by Permissions
  15. 15. 15 • Permissions differ by object being configured • Three levels of permissions can be configured for each object Delegation by Permissions
  16. 16. 16 • Incorrect group membership can give too much access • Verification options • Active Directory Users and Computers • Local SAM • DumpSec • PowerShell/PowerGUI (groups recursive) • ADAudit Plus (groups recursive) Verifying Group Membership
  17. 17. 17 • Incorrect user rights can give too much power • Verification options • Secpol.msc • DumpSec • ADAudit Plus Verifying User Rights
  18. 18. 18 • Incorrect permissions can give too much access • Verification options • Screen captures (painful, time consuming, and too large) • Dumpsec (files and folders) • Xcacls, icacls (files and folders) • Dsacls (AD objects) Verifying Permissions
  19. 19. 19 • Servers • Manage Files and Folders • Manage Security Logs • Install applications • Install services • Manage services • Start and Shut down server • Manage local users and groups • Manage entire server Breaking Down Delegation Capabilities
  20. 20. 20 • Servers • Manage Files and Folders • Manage Security Logs • Install applications • Install services • Manage services • Start and Shut down server • Manage local users and groups • Manage entire server Breaking Down Delegation Capabilities
  21. 21. 21 • Active Directory • Managing Users • Managing Groups • Managing Computers • Managing Group Policy • Managing Schema • Managing Forest-level functions Breaking Down Delegation Capabilities
  22. 22. 22 • Delegation Defined • Delegation by Group Membership • Delegation by User Rights • Delegation by Permissions • Verifying Group Membership • Verifying User Rights • Verifying Permissions • Breaking Down Delegation Capabilities Summary
  23. 23. Click to edit Master title style Questions? Our gift to you… the link to download the tools! http://www.manageengine.com/products/active-directory-audit/ Thank you!

×