Today I’m going to talk a little more on Active Directory administration delegation to end users, or, at least, non AD Admins. We get a lot of questions along the following lines:
“We have a thousand end users, distributed over twenty different departments. Each department has its own public folder on our file servers. Whenever someone needs access to that public folder, or a sub folder, a call is made to our service desk, and someone from IT has to add a user to a security group. That work amounts to some X hundred calls a year, and worse, it’s prone to delays and errors. Do you offer a way to delegate this work to the department itself, but in a safe and straightforward way?”
Ehhh, yeah. Or better still, yes, we do!
Let’s break this question down a bit. What you want in this case is:
Here’s how to accomplish this with ADUC Admin Plus, for, say, department ‘Sales’:
That’s all there is to it. The result:
- Only the department admin can start up ADUC Admin Plus (make sure, by the way, you yourself are also member of a profile, or you also can no longer startup ADUC Admin Plus from anywhere in your network).
- When the department admin starts up ADUC Admin Plus, he or she only sees the subtree of the Organizational Unit ‘Sales’.
- Within that subtree, the department admin can only view Memberships, and he or she can only change memberships.
So, not only can you safely delegate providing access to your public folders to each department, there are three subsequent advantages:
Because our tools are single executables that do not have to be installed, you don’t have to install a client application to the workstations of your department admins. You also don’t have to install and maintain a (web) application to give your department admins access to your Active Directory. You can simply provide the executable itself, or the download URL, to your department admins, and you’re up and running.
ROLL BACK OF MODIFICATIONS
All changes made to your Active Directory by department admins are logged to an event viewer of your choice – and can be rolled back from that event viewer, by you, or, if you allow it, by the department admins themselves.
INTERFCACE IS ADJUSTED
When implementing the scheme above, no changes are made to the security on your Active Directory(!!!). The only thing you are doing, is restrict the interface and functionality of ADUC Admin Plus itself. In other words, if a department admin has the right to change, say, property ‘Description’, he or she still can change that property — just not with ADUC Admin Plus.
Although we strongly advise to always trim the rights you appoint to anyone on your AD, the question is basically irrelevant. Even if you make a department admin Domain Admin by mistake, he or she can still change only what’s presented to him or her. So, if you disable the option to delete objects, he or she can still delete objects, but not with ADUC Admin Plus, because the option simply won’t be available to him or her in ADUC Admin Plus.
Vision It has been developing custom software solutions since 2009 and launched aducADMIN+ in 2010 to help us save time and money managing our own networks.
Developing software out of amsterdam, The Netherlands with installations in over 50 countries around the globe.