How to delegate Active Directory tasks for IT defense safely?

Posted March 14th, 2013


Today I want to talk about a specific dilemma: which tasks can you safely delegate to which line of IT defence?

The thing is, in most organizations a lot of tasks depend on security level rather than complexity, which means that relatively simple tasks can only be performed by relatively highly paid or skilled employees, simply because delegating those tasks would pose all kinds of threats to your network environment.

An example: You want your service desk to reset passwords and unlock accounts, both of which are fairly common tasks. In order to accomplish this, your service desk will somehow need access to your Active Directory, and it will need certain rights on your user objects.

So, in order to make your Active Directory available, you either need to grant access to a server to start up Microsoft’s ADUC, or you need to install the ADUC plugin onto certain workstations. Then you need to appoint the appropriate rights to your AD.

I’m not saying that this cannot be done. In fact, a lot of organizations solve this particular problem in this way. But let’s go through the implications of the different parts of this solution.

- Giving access to a server.

Simply granting Local Admin rights to a server to some or all of your service desk employees will not do, not even if you create a dedicated server. Service desk employees shouldn’t even have local admin rights to their own workstation, let alone a server. So, you will need to restrict their rights to starting an RDP session and starting Microsoft’s ADUC. This is still inherently unsafe, because being able to start an RDP session requires a lot more rights than you want to give away.

- Distributing the ADUC plugin.

Do you want all your service desk employees to be able to perform these tasks? If not, do your employees move around? You will have to restrict both install of and access to the plugin. It is difficult to make sure that your AD is only accessed by the right people.

- Appointing rights.

This can be done with great accuracy. You can either appoint individual rights or a set of rights directly (on OU level, for instance) or by way of Security Role Modelling. Still, a mistake is easily made, too many rights are all to easily appointed.

We have tried to tackle these problems and to take away at least some of the risks involved. Our solution is what we call ‘Dynamic Interfacing’ – allowing for delegation of tasks by offering tailor made interfaces. This means basically: if you want a certain employee, or group of employees, to perform a certain task, and only that task, then the interface makes only that task available to him or her when they fire up our tooling — wherever they fire up our tooling.

The methodology is as follows:

- First you create a security group anywhere in your Active Directory.
- Then you add some or all service desk employees as members to this group.
- Then, with ADUC AdminPlus, you convert this group to a profile. This simply means that an existing attribute is used to store ADUC Admin Settings.

Okay, and here’s the trick. The profile settings are implemented on all members of this profile, so that when a member of the profile starts up ADUC AdminPlus anywhere in your network, the interface is adjusted to the profile settings.

And what are these settings? You can decide to allow or disallow, and thereby show or hide, just about any functionality in ADUC AdminPlus.

An example. You want a certain group of people to do anything they want with ADUC AdminPlus, except delete objects. So, you create a profile, make these people member of this profile, and then you disable the delete option in their profile. And now, wherever they start up ADUC AdminPlus, and regardless of their rights to your Active Directory, the option to delete an object simply isn’t available to them in ADUC AdminPlus anymore.

You want to disallow moving objects? You want to disallow enabling or disabling objects? You want to disallow viewing security information? You want to make your entire Active Directory Read Only? You want to only make a part of your Active Directory visible and accessible? You want to disallow Exchange changes? You want to disallow the creation of objects? You want to restrict to one domain?

This way you don’t have to install any plugins or give access to any server anymore. You simply create a group, add your service desk employees to that group, convert it to a profile, disallow everything except making property changes, and ask your service desk employees to download the latest ADUC AdminPlus build.

When they fire it up, they can only change certain object properties. Any other functionality simply isn’t available to them. They cannot accidentally delete or move objects, or change or view security settings. That functionality simply isn’t present in the interface.

We have tried to make this as flexible as possible, but if you have specific needs that aren’t currently present, don’t hesitate to contact us or leave a note here, and we’ll try and build it for you ;)

aducADMIN+A Powerfully Simple Active Directory Management Tool.

Download A FREE Trial

We're a software company based in Amsterdam that focuses on large-scale network management software. aducADMIN+ is our flagship product - but we also manage networks of over 20,000 users.

Vision It has been developing custom software solutions since 2009 and launched aducADMIN+ in 2010 to help us save time and money managing our own networks.

Developing software out of amsterdam, The Netherlands with installations in over 50 countries around the globe.


+31 20 893 2017