Delegating Admin Area (Tier0)

In the Building Admin Area (Tier0) we created most of the objects required on our Admin Area (Tier0). Now we need delegate Admin Area (Tier0) by configuring all required permissions and rights based on the roles defined in our Delegation Mode.

Semi-Privileged User Management (UM)

UM group (User Management) will be able to create and modify Semi-Privileged user objects within this container, but will not have rights over any Privileged user.

Once more a wrapper function is needed.  EguibarIT.Delegation PowerShell Module provides CMDlets to delegate User creation(Set-AdAclCreateDeleteUser), Reset user password (Set-AdAclResetUserPassword), Change User Password (Set-AdAclChangeUserPassword), Enable, Disable User (Set-AdAclEnableDisableUser), Unlock User (Set-AdAclUnlockUser), manage Account Restrictions (Set-AdAclUserAccountRestriction) & UserLogonInfo ( Set-AdAclUserLogonInfo). All these CMDlets are wrapped into a single CMDlet called Set-AdAclDelegateUserAdmin. A similar wrapper and supporting functions exist for GAL.

Semi-Privileged Group Management (GM)

“PGM (Privileged Group Management)” group will be able to create and modify group objects within the groups container.

Privileged User Management (PUM)

Only “PUM (Privileged User Management)” group will be able to modify Privileged user objects within this container.

Privileged Group Management (PGM)

Privileged Infrastructure Services Management (PSIM)

Take patch management as an example. All servers and computers within “Admin Area”/Tier0 must be regularly patched, but those cannot share the same patching solution as for regular PCs or servers. The patching service must be configured exclusively for this Area/Tier, so all AD objects required for this purpose should be within Admin Area, having the infrastructure part (as it can be the computer object for the patching server) hosted here.

Only “Privileged Infrastructure Services Management” group can create and delete computer objects within this container. Here, once more, got the requirement of a wrapper function. In order to delegate management of a computer, we need to Create/Delete Computers (Set-AdAclCreateDeleteComputer), Reset Computer Password (Set-AdAclResetComputerPassword), Change Computer Password (Set-AdAclChangeComputerPassword), Validated write to DNS host name (Set-AdAclValidateWriteDnsHostName), Validated write to SPN (Set-AdAclValidateWriteSPN), Change Computer Account Restriction (Set-AdAclComputerAccountRestriction), Change DNS Hostname Info (Set-AdAclDnsInfo), Change MS TerminalServices info (Set-AdAclMsTsGatewayInfo), Access to BitLocker & TMP info (Set-AdAclBitLockerTPM), Grant the right to delete computers from default container. Move Computers (Set-DeleteOnlyComputer) and Set LAPS (Set-AdAclLaps). This function is ideal for any container which deals with Computer objects.

Privileged Access Workstation Management (PAWM)

As part of the administration separation between normal users and admin users, a secure host, or “Privileged Access Workstation”, must exist in order to fully separate a standard computer from the specific privileged machine used for domain privileged maintenance. Each of the defined tiers within this model (Admin/Tier0, Servers/Tier1 & Sites/Tier2) will have its own set of PAWs for administration; is not permitted to share PAWs between Areas/Tiers.

Only “PAW Management” group will be able to create and modify computer objects within this container, and this team is responsible for the maintenance of the mentioned assets. Those assets will be organized on their own sub-ou depending on which tier are assigned to.

As we are speaking of a “Computer” container, the Set-AdAclDelegateComputerAdmin wrapper function can be used.

Privileged Service Account Management (PSAM)

Service account is a security principal with privileges above normal and special granted rights, as it may be the “Logon as a Batch Process” or “Logon as a Service” or “Interact as Part of the OS” but not exclusively; these rights are quite common for Service Accounts, and is used by applications to run properly and execute privileged routines or windows services without user intervention.

Service Accounts are un-personal, so nobody is supposed to choose a password to be used, except for the person who created the Service Account; this is the reason to use a strong convention for passwords of Service Accounts.

A Service Account must:

  • Follow the corporate naming conventions
  • Have all (within possible) attributes completed (First Name, Last Name, Address, etc.)
  • Reside within the corresponding AD container (Service Accounts OU)
  • Set the “employeeType” attribute to ServiceAccount
  • Use the less privileges as possible
  • Be jealously keep
  • Use a Very Strong Password
  • Not contain name, last name, userID or any other attribute (full or partial) within the password

Following the delegation model, a Security Global Group must be created for each of the tiers, following current naming conventions, in the corresponding container (within the administrative OU tree, on the group container OU) and all service accounts must be part of their corresponding group. If a service account is not member of any of these groups, the required service extended rights (Logon as a Service & Logon as a Batch Job) will not be granted. On the other hand, any user object placed inside of any of these containers will become a Service Account. Only “Privileged ServiceAccount Management” group will be able to create and modify user objects, GroupManagedServiceAccounts and ManagedServiceAccounts.

Group Policy Management

This container is where all the Group Policy Objects (GPO) reside, no matter to which Tier/Area these objects belong to. By default, the domain Administrator is the owner of these container, thus having full control over all contained objects.

Because of the implied rights the Administration account has, having a solely delegated GPO rights to a group is a must. The GPO Admin group has these rights delegated, acting as a full administrator only within the GPC.

This role is the equivalent as the built-in Administrator but limited only to the mentioned container. This role is able to:

  • Create/Delete GPO
  • Create/Delete GPLinks
  • Manage GPOptions (Inheritance)

Directory Replication

Infrastructure Administration

This group is getting additional permissions within AD. For example, this group is the ONLY group having permissions to Create/Delete Organizational Units, Sites, Subnets, SiteLinks or Transfer FSMO roles.

AD Administration

This group has the permissions to change many of the existing objects, but create/delete is reserved for infrastructure admins.

After completing the delegation, we can Configure Admin Area (Tier0).

Social network sharing