Delegation Model – Admin Area or Tier0

The Delegation Model – Admin Area or Tier0 will host all objects required by the delegation model to operate as mentioned in this design. This is the container holding all the objects needed for domain administration, regardless of the Area/Tier where they belong to. This includes:

  • Built-In Administrator
  • the privileged groups (as Domain Admins or Enterprise Admins)
  • all users/groups used to delegate rights and administrative tasks
  • all service accounts, etc.

This area, meaning OU sub-tree, is effectively Tier0.

All the domain administration and delegation, while having a well-defined and organized structure, will live in this area, managed and maintained by the infrastructure owners. We will achieve this by sub-dividing the objects into functional containers. This area should be as restrictive as possible while maintaining the operational level.

Purpose

This OU (Delegation Model – Admin Area or Tier0) consolidates and secures all privileged identities while delegating tasks and rights to each of the objects of the domain.
As a good start, the 1st level OU (called in this document Admin OU, being the equivalent of Tier0) has to be secure. We do this by modifying the SACL’s (Security Access Control List) of the OU. Modifying the default inheritance is a must, and the legacy compatibility groups removed. Additionally, the standard operational groups must be removed as well. We need to create other groups for the specific and secured operation of this area.

Once we create and secure the “root”, we must define additional sub-containers for the proper management of the environment. These containers should include Users, Groups, Service Accounts, Management Computers and the redirected User and Computer containers. When deciding the number of sub-containers, we have to keep it as simple as possible, while committing our goals. If our goal is fulfill with a single OU, then adding additional containers will barely help, but will make our operational costs higher and will jeopardize our security.

Delegation Model - Admin Area or Tier0

Once the root OU exists and secured, we can create all the required sub-OUs. Having enabled inheritance from the custom OU mentioned. Auditing must be enable and implemented for every object within this area. Only Infra Admins have the right to create and delete OUs within the domain.

After the creation of the Sub-OUs, we must create extra groups within is corresponding container. Some of these groups will have the delegated ability to manage objects in this area.

When deciding the number of sub-containers, we have to keep it as simple as possible, while committing our goals. If our goal can be fulfilled with a single OU, then adding additional container will barely help, but will make our operational costs higher and will jeopardize our security.

The root OU of this area will not inherit the default security of the domain. Instead it will be copied and remove Account Operators &Print Operators from the Access Control Lists. Then all the required sub-OU will be created, now having enabled inheritance from the custom OU just mentioned. Auditing must be enabled and implemented for every object within this area. Only Infra Admins have the right to create and delete OUs within the domain.

After the creation of the Sub-OUs, additional groups must be created within is corresponding container. Some of these groups will have the delegated ability to manage objects in this area.

Global Groups of the Delegation Model

Security PrincipalDescription
SG_InfraAdminsFull rights on all Active Directory infrastructure
SG_ADAdminsPartial rights on all Active Directory infrastructure
SG_T0SAService Account for Tier 0 / Admin Area
SG_T1SAService Account for Tier 1 / Servers Area
SG_T2SAService Account for Tier 2 / Sites Area
SG_Tier0AdminsAdministrators group for Tier 0 / Admin Area
SG_Tier1AdminsAdministrators group for Tier 1 / Servers Area
SG_Tier2AdminsAdministrators group for Tier 2 / Sites Area
SG_DfsAdminFull Rights to administer DFS
SG_GpoAdminFull Rights to administer GPO
SG_PkiAdminFull Rights to administer CA
SG_PkiTemplateAdminFull Rights to administer CA Templates
SG_AllGalAdminsDelegated Limited general rights on all sites
SG_AllSiteAdminsLimited general rights on all sites
SG_OperationLimited rights on all Servers
SG_ServiceDeskPassword rights and AllGALAdmin rights on all sites
SG_ServerAdminFull administrative rights on servers
SG_GlobalGroupAdminFull Group administrative rights on all sites
SG_GlobalUserAdminFull user administrative rights on all sites
SG_GlobalPcAdminFull computer administrative rights on all sites

 

Domain Local Groups of the Delegation Model

Security PrincipalDescription
SL_InfraRightsDelegated full rights to all AD infrastructure
SL_AdRightsDelegated partial rights to all AD infrastructure
SL_PUMRights for Privileged User management
SL_PGMRight for Privileged Group management
SL_PISMRight for Privileged Infrastructure management
SL_PAWMRight for Privileged Access Workstation management
SL_DirReplRightsRight for Privileged Directory Replication Rights
SL_PkiRightsRight for Privileged Public Key Infrastructure management
SL_PkiTemplateRightsRight for Privileged Public Key Infrastructure Template management
SL_DfsRightsRight for Privileged DFS management
SL_GpoAdminRightsRight for Privileged GPO management
SL_UMRights for User Management
SL_GMRights for Group Management
SL_PSAMRights for Service Account Management
SL_InfrastructureServers>Rights for ALL Infrastructure Servers
SL_PAWsRights for ALL PAWs
SL_SvrAdmRightRights for server management
SL_SvrOpsRightRights for server operation management
SL_GlobalAppAccUserRightRights for Global Aplication Access Users
SL_GlobalGroupRightRights for Global Group Management

 

Social network sharing