télécharger 1.52 Mb.
typeDocumentos > documents > Documentos
  1   2   3   4   5   6   7   8   9   ...   34

Best Practices for Delegating Active Directory Administration

Microsoft Corporation

Created: November 24, 2003


Program Manager: Sanjay Tandon

Writers: Mary Hillman

We thank the following people for their contributions in the creation of the Active Directory Delegation Appendices and the Dsrevoke tool:

Umit Akkus, Nona Allison, Colin Brace, Raman Chikkamagalur, Arren Conner, Raju Dantuluri, Dmitry Dukat, Levon Esibov, Dmitri Gavrilov, Don Hacherl, Saif Hasan, Xin He, David Hou, Gokay Hurmali, Khushru Irani, Kamal Janardhan, Gregory Johnson, Ian Jose, Richa Kumar, Klaas Langhout, William Lees, Xiaozhong Luo, Jaeger Mitchell, Nathan Muggli, Arun Nanda, Rich Randall, Ullattil Shaji, Brett Shirley, Scott Turnbull, Andrea Weiss, Jeff Westhead, and BJ Whalen.

We thank the following people for reviewing the guide and providing valuable feedback:

Laurie Brown, John Craddock, Robert DeLuca, Christoph Felix, Eric Fleischman, Guido Grillenmeier, Mike Hickey, David Kayano, Alain Lissoir, Andreas Luther, Astrid McClean, Paul Rich, Joe Richards, and David Trulli.


Introduction 1

Chapter 1: Delegation of Administration Overview 4

Chapter 2: How Delegation Works in Active Directory 18

Chapter 3: Delegating Service Management 45

Chapter 4: Delegating Data Management 75

Case Study: A Delegation Scenario 120


The Active Directory® directory service is an integral component of network infrastructures that are based on the Microsoft® Windows Server™ Server 2003, Standard Edition; Windows Server™ 2003, Enterprise Edition; Windows Server™ 2003, Datacenter Edition, and Windows® 2000 Server, Windows® 2000 Advanced Server, and Windows® 2000 Datacenter Server operating systems. Successful management of Active Directory environments requires distribution of administrative responsibilities among multiple administrators according to organizational, operational, legal, and administrative requirements. Having the necessary background information, requirements, practices, and recommendations can help you delegate administration to more securely and efficiently manage Active Directory services and data.


Active Directory provides an enterprise-ready, scalable, distributed directory service that allows organizations to centrally manage and share information about network resources and users, and is at the heart of distributed network security in a Windows Server–based enterprise. Active Directory thus plays a major role in accomplishing the business goals of your organization, and your ability to successfully manage Active Directory has a direct bearing on your ability to accomplish these goals.

Delegation of administration, a key capability of Active Directory, provides a means to successfully manage an Active Directory environment. This document discusses in depth the issues involved in delegating administrative responsibilities, and can help you plan for, implement, and maintain an administrative delegation model that allows secure and efficient management of Active Directory.


This document provides all the information required to create, implement, and maintain a security-conscious and efficient delegation model to manage your Active Directory environments. This information includes an overview of delegation, in-depth explanations of the rationale for delegation, technical descriptions of how delegation works in Active Directory, processes for creating delegation models for both service and data management, the steps needed to implement and maintain the models, and a detailed case study. Appendices to this document provide an exhaustive reference, including a comprehensive list of Active Directory administrative tasks and associated permissions required to delegate every administrative task in Active Directory.

This document does not include Active Directory deployment instructions or recommendations. For information about planning and deploying an Active Directory environment, see Designing and Deploying Directory and Security Services of the Microsoft® Windows® Server 2003 Deployment Kit on the Web at
  1   2   3   4   5   6   7   8   9   ...   34

Tous droits réservés. Copyright © 2017