Administrative Rechte delegieren
Wer sich mit der Delegierung von Rechten im Active Directory beschäftigt, weiß wie anstrengend es sein kann, sich zu überlegen, wer welche Rechte erhalten soll.
Ein Domänen-Admin muss nicht alles alleine stemmen. Die Verwaltung bzw. Administration sollte auf mehreren Schultern verteilt werden.
Hier ein paar Beispiele wie die zu vergebenen Rollen aussehen könnten. Ich hatte mir diese mal vor langer Zeit zusammengetragen.
Konten Administrator
- Create user accounts
- Delete user accounts
- Move user accounts
- Reset a users password
- Unlock user accounts
- Modify user account
- Authorize access to user and group accounts
- Link GPOs to user account OUs
Workstation Administrator
- Create computer accounts
- Delete computer accounts
- Move computer accounts
- Link GPOs to computer account OUs
- Have membership in local Administrators group
- Have permission to control workstation remotely
Server Administrator
- Create computer accounts
- Delete computer accounts
- Move computer accounts
- Link GPOs to computer account OUs
- Have membership in local Administrators group
- Have permission to control workstation remotely
Ressourcen Administrator
- Control access to data
- Control service and service account on server
- Control application on server
Sicherheitsgruppen Administrator
- Create security groups
- Modify the membership of security groups
- Delete security groups
Help Desk
- Reset passwords on user accounts
- Unlock user accounts
- Control non security related user account properties
Forest-Konfigurations-Administrator
- Creating and deleting child domains
- Creating, deleting, and managing all trust relationships for the forest
- Creating, deleting, and managing cross-reference objects
- Transferring and seizing the forest-wide operations master roles
- Raising the forest functional level
Domänen-Konfigurations-Administrator
- Managing replica domain controllers
- Managing operations master roles
- Managing the default Domain Controllers OU
- Managing the content stored in the System container
- Restoring AD from backup when required
Sicherheitsrichtlinien Administrator
- Managing Password policy settings
- Managing Account Lockout settings
- Managing Kerberos Policy settings
Service Administrator
- Managing service administration user accounts
- Managing service administration security groups
Domain Controller Administrators
- Managing software
- Managing service packs and security updates
- Managing GPO settings, for both security and control
- Managing event logs
- Managing directory service files and Sysvol
Replikations-Administrator
- Managing sites
- Managing subnets
- Managing site links and site-link bridges
- Managing the replication schedule and replication interval on site links
- Managing manual site connections
DNS Administrator
- Installing the DNS Server service on domain controllers
- Managing and configuring DNS recursion methods
- Managing forest-wide zones
- Managing DNS application partitions
Natürlich müssen auch diese ganzen Administratoren überwacht werden. Dazu setze ich sehr gerne das Tool ADAudit Plus von Mangage Engine ein.
https://www.der-windows-papst.de/2016/09/15/adaudit-plus-datenbank-migration-postgresql-zu-mssql/
Bild von Gerd Altmann auf Pixabay