What is delegation of administration in Active Directory?

An IT infrastructure is typically comprised of many IT assets such as user accounts, computers, files and databases, applications and services all of which need to be administered. In such IT infrastructures, it is not possible for a handful of administrators to adequately administer all aspects of the IT infrastructure.

 

Thus, in most IT infrastructures, administrative responsibilities for managing the various IT assets that together comprise the IT infrastructure are distributed (or delegated) amongst an adequate and typically greater number of less-privileged administrators, who are then responsible for managing smaller specific portions of the IT infrastructure.

 

Delegation of administration is the act of distributing and delegating an administrative task for various aspects of IT management amongst an adequate number of administrators.

 

The act of delegating administration involves granting one or more users or Active Directory security groups the necessary Active Directory security permissions as appropriate so as to able to allow the delegated administrator to carry out these tasks.

 

In the interest of security, after delegating an administrative task, IT personnel should always also verify delegation in Active Directory, so as to be sure that the task was delegated accurately. The process of verifying a delegation in Active Directory is rather complicated but with the right Active Directory Reporting Tool, IT personnel can accomplish this task efficiently and reliably.

 

Done right, Active Directory's powerful administrative delegation capabilities let organizations securely, efficiently and cost-effectively delegate administrative authority for identity and access management in their IT infrastructures thereby reducing cost and enhancing security.

 

Source - Active Directory Security Technical Reference


A Guide to the Active Directory Security Model

Active Directory's security model secures and protects every object stored in Active Directory, including domain user accounts and domain computer accounts, domain security groups and group policies. The Active Directory Security model allows administrators to specify who has what access to which object to a high degree of control. It also allows administrators to specify access for an entire group of users so as to simply security management.

 

The following is an overview of how Active Directory's security model protects stored content –

  1. Each object is protected by a component known as a Security Descriptor

  2. Each security descriptor contains amongs other compronents, an Access Control List (ACL)

  3. Each ACL contains one or more Access Control Entries (ACEs)

  4. Each ACE allows or denies specific security permissions to some security principal

  5. Security groups can be specified and be part of security groups

  6. ACEs can be explicit or inherited; explicit ACEs override inherited ACEs

  7. Access is specified in the form of low–level technical permissions

  8. These low-level permissions can be standard permissions, or special permissions such as extended rights or validated writes

  9. Active Directory's current object visibility mode impacts list access requests

  10. The access check takes into account the object's ACL and the user's token and determines resultant access for user on the object

In this manner, Active Directory's security model secures and protects Active Directory content.


What are Active Directory Extended Rights?

Active Directory's security model secures and protects every object stored in Active Directory, including domain user accounts and domain computer accounts, domain security groups and group policies and in the Active Directory security model, permissions specify, govern and control the ability of a security principal to perform a technical operation on the Active Directory object it serves to protect.
 
While standard operations on objects stored in and protected by Active Directory are governed by standard Active Directory permissions, there are certain operations that have special significance, and require special or extended permissions for their authorization. These special or extended permissions govern the ability of a user to perform specific Active Directory operations, or Active Directory based identity and access management operations, and are often referred to as Active Directory extended rights.
 
In addition, Active Directory Property Sets refer to a group of related properties (attributes) for which access control can be collectively specified in a single ACE. The ability to collectively specify access on a related set of properties simplifies access specification and management.
 
While standard Active Directory permissions govern standard operations on objects stored in and protected by Active Directory, certain operations require additional validation prior to being committed, above and beyond basic Schema based structure enforcement validation. Active Directory Validated Writes represent a special type of permission that facilitates pre-commit validation during write attempts to certain properties on certain Active Directory objects.

How to determine the True Last Logon Value in Active Directory

IT administrators often need to determine the last time a user may used their Active Directory domain user account to logon. To do so, IT administrators need to query the Active Directory and obtain the values of the attribute that stores this value on domain user accounts.
 
In fact, Active Directory stores the last logon time of a domain user account in a specific attribute on the user object called lastLogon. However, this is not a replicated attribute, which means that Active Directory does not replicate its value amongst all the DCs of a domain.
 
Thus, in practice, in order to determine a domain user account's true last logon time, IT administrators need to query each DC in the domain for the local lastLogon value on the user's account, then compare each of these values to determine the latest one, and report that as the user's true last logon time. The actual last user logon value is also commonly referred to as True Last Logon in Active Directory.
 
IT administrators often write scripts to make this determination or use 3rd party scripts. The problem with writing scripts is that they are prone to error and are time-consuming to customize and maintain, and the problem with unsupported using 3rd party scripts is that they are not reliable and thus cannot always be trusted to deliver the accurate values every time. Accuracy is very important because many a time, these reports are furnished as evidence to demonstrate the regulatory compliance and constitute a part of Active Directory compliance reports.
 
The best alternative then is to use reliably 3rd party tools that completely automate this process and that can be trusted. Care must be taken however to ensure that these tools are from a trustworthy vendor and that they are developed by proficient developers and as far as possible built in the USA.