Derek Melber, Technical Evangelist for the AD Solutions team at ManageEngine and one of only 12 Microsoft Group Policy MVPs in the world, from his extensive knowledge in the Windows Active Directory security domain shares the various ways in Windows Servers to manage task delegations by Group / User / Permissions… And know the limitations too!
Why Teams call analytics are critical to your entire business
Controlling Delegation of Windows Servers and Active Directory
1. Click to edit Master title style
Controlling Delegation of Windows Servers
and Active Directory
2. 2
• Derek Melber, MCSE & MVP (Group Policy and AD)
• derek@manageengine.com
• Online Resources
• ManageEngine “Active Directory” Blog
• Group Policy Resource Kit – MSPress
• Windows Security Audit Package Consulting
• Active Directory/Windows Audit Program
• Training for efficient auditing
• Administration Consultant
• Active Directory and Server Design/Security
• Active Directory and Group Policy Design
About Your Speaker
3. 3
• Delegation Defined
• Delegation by Group Membership
• Delegation by User Rights
• Delegation by Permissions
• Verifying Group Membership
• Verifying User Rights
• Verifying Permissions
• Breaking Down Delegation Capabilities
Agenda
4. 4
• Delegation is granting the ability to manage or control
some or all of an object or computer
• Install and manage software on a server
• Control services on a server
• Add a group
• Change membership of a group
• Add or remove a user
• Reset the password for a user
Delegation Defined
5. 5
• Default local groups
• Administrators
• Backup Operators
• Power Users
Delegation by Group Membership
6. 6
• Default domain groups
• Domain Admins
• Administrators
• Cert Publishers
• DHCP Administrators
• DNSAdmins
• Group Policy Creator Owners
• Account Operators
• Backup Operators
Delegation by Group Membership
7. 7
• Default forest groups
• Enterprise Admins
• Schema Admins
Delegation by Group Membership
9. 9
• Custom Admin Groups
• These are groups that are created by administrators in Active
Directory
• These groups are granted elevated privileges
• Group membership
• User Rights
• Permissions
Delegation by Group Membership
10. 10
• Computer-wide configurations that control what users can
do to/on that computer
• User rights are unique from computer to computer
• User rights are configured centrally using Group Policy
• If not centrally, then local policy configures computer user rights
• User rights override security permissions
• i.e., if user has denial permission to a folder, can still back it up with
Backup and Restore user right
Delegation by User Rights
11. 11
• User Rights are granted using Group Policy
• Domain Controllers
• User Rights are specially configured by default
• Default Domain Controller Policy contains default user right settings
• Servers and Workstations
• No user rights are applied using Group Policy
• No user rights are applied additionally by joining domain
• Local or domain-based Group Policy can alter/increase user right security
Delegation by User Rights
12. 12
• High Privileged User Rights
• Shut down the system
• Force shutdown of remote system
• Log on as a batch job
• Log on as a service
• Log on locally
• Act as part of the OS
• Backup and Restore files and directories
• Generate security audits
• Manage auditing and security log
• Replace process-level token
• Synchronize directory service data
• Take ownership of files and other objects
Delegation by User Rights
13. 13
• Permissions control what a user can do to an object
• Objects include…
• Files
• Folders
• Registry Keys
• Printers
• Services
• AD Objects
Delegation by Permissions
14. 14
• Permissions are also known as
• Access control list
• ACL
• NTFS permissions
• None of these are the same as Share permissions!
Delegation by Permissions
15. 15
• Permissions differ by object being configured
• Three levels of permissions can be configured for each
object
Delegation by Permissions
16. 16
• Incorrect group membership can give too much access
• Verification options
• Active Directory Users and Computers
• Local SAM
• DumpSec
• PowerShell/PowerGUI (groups recursive)
• ADAudit Plus (groups recursive)
Verifying Group Membership
17. 17
• Incorrect user rights can give too much power
• Verification options
• Secpol.msc
• DumpSec
• ADAudit Plus
Verifying User Rights
18. 18
• Incorrect permissions can give too much access
• Verification options
• Screen captures (painful, time consuming, and too large)
• Dumpsec (files and folders)
• Xcacls, icacls (files and folders)
• Dsacls (AD objects)
Verifying Permissions
19. 19
• Servers
• Manage Files and Folders
• Manage Security Logs
• Install applications
• Install services
• Manage services
• Start and Shut down server
• Manage local users and groups
• Manage entire server
Breaking Down Delegation Capabilities
20. 20
• Servers
• Manage Files and Folders
• Manage Security Logs
• Install applications
• Install services
• Manage services
• Start and Shut down server
• Manage local users and groups
• Manage entire server
Breaking Down Delegation Capabilities
21. 21
• Active Directory
• Managing Users
• Managing Groups
• Managing Computers
• Managing Group Policy
• Managing Schema
• Managing Forest-level functions
Breaking Down Delegation Capabilities
22. 22
• Delegation Defined
• Delegation by Group Membership
• Delegation by User Rights
• Delegation by Permissions
• Verifying Group Membership
• Verifying User Rights
• Verifying Permissions
• Breaking Down Delegation Capabilities
Summary
23. Click to edit Master title style
Questions?
Our gift to you… the link to download the tools!
http://www.manageengine.com/products/active-directory-audit/
Thank you!