The Delegation Model – Admin Area or Tier0 will host all objects required by the delegation model to operate as mentioned in this design. This is the container holding all the objects needed for domain administration, regardless of the Area/Tier where they belong to. This includes:
- Built-In Administrator
- the privileged groups (as Domain Admins or Enterprise Admins)
- all users/groups used to delegate rights and administrative tasks
- all service accounts, etc.
This area, meaning OU sub-tree, is effectively Tier0.
All the domain administration and delegation, while having a well-defined and organized structure, will live in this area, managed and maintained by the infrastructure owners. We will achieve this by sub-dividing the objects into functional containers. This area should be as restrictive as possible while maintaining the operational level.
This OU (Delegation Model – Admin Area or Tier0) consolidates and secures all privileged identities while delegating tasks and rights to each of the objects of the domain.
As a good start, the 1st level OU (called in this document Admin OU, being the equivalent of Tier0) has to be secure. We do this by modifying the SACL’s (Security Access Control List) of the OU. Modifying the default inheritance is a must, and the legacy compatibility groups removed. Additionally, the standard operational groups must be removed as well. We need to create other groups for the specific and secured operation of this area.
Once we create and secure the “root”, we must define additional sub-containers for the proper management of the environment. These containers should include Users, Groups, Service Accounts, Management Computers and the redirected User and Computer containers. When deciding the number of sub-containers, we have to keep it as simple as possible, while committing our goals. If our goal is fulfill with a single OU, then adding additional containers will barely help, but will make our operational costs higher and will jeopardize our security.
Once the root OU exists and secured, we can create all the required sub-OUs. Having enabled inheritance from the custom OU mentioned. Auditing must be enable and implemented for every object within this area. Only Infra Admins have the right to create and delete OUs within the domain.
After the creation of the Sub-OUs, we must create extra groups within is corresponding container. Some of these groups will have the delegated ability to manage objects in this area.