Delegation problem
- From: boomboom999@xxxxxxxxx
- Date: 22 Jan 2006 10:43:22 -0800
Hello,
When building a delegation model Microsoft recommends to clearly
separate Service Admins and Data Admins. The Service Admins are
responsible for controlling the directory structure, services and
security. The Data Admins are responsible for some objects in their
limited delegated containers and other related resources.
That is a perfect suggestion.
But in real life there are some serious problems with this separation
model.
In a typical Wintel company there are more components involved:
SMS (Clients running on DCs)
MOM (Clients running on DCs)
RIS (Images for domain controllers)
SAN (DCs have their disks on SAN)
VmWare (some DCs are virtualized)
Backup (backup servers take copies of domain controllers)
In one or another way the administrators of all these components have
access to domain controller data and can escalate their privileges up
to Domain Admins or affect security of the controllers in another
manner.
Who are these administrators? Are they Service Admins or Data Admins?
I see 2 solutions for this problem but neither is perfect.
1. Give all the administrative tasks (SMS+MOM+SAN+ ...) to Domain
Admins. That will keep all the security control in one hands but will
end up with overloaded broad-profile AD admins.
2. Delegate the tasks, like SMS or MOM management, to higly trusted
individuals. That will spread the security control over a group of
people but diminish the load on AD admins.
What would you recommend?
.
- Follow-Ups:
- Re: Delegation problem
- From: Ondrej Sevecek
- Re: Delegation problem
- Prev by Date: Re: Prevent logons other than PC owner?
- Next by Date: Default NTFS permissions too liberal on newly created volumes
- Previous by thread: AT command and Scheduled tasks UI for non-admin users
- Next by thread: Re: Delegation problem
- Index(es):
Relevant Pages
|
|
