Best Practices for Delegating Active

Directory Administration (Windows Server

2003)
Updated: December 5, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1,
Windows Server 2003 with SP2
Acknowledgements
Program Manager: Sanjay Tandon
Writer: Mary Hillman
We thank the following people for their contributions in the creation of the Active Directory
Delegation Appendices and the Dsrevoke tool:
Umit Akkus, Nona Allison, Colin Brace, Raman Chikkamagalur, Arren Conner, Raju Dantuluri,
Dmitry Dukat, Levon Esibov, Dmitri Gavrilov, Don Hacherl, Saif Hasan, Xin He, David Hou,
Gokay Hurmali, Khushru Irani, Kamal Janardhan, Gregory Johnson, Ian Jose, Richa Kumar,
Klaas Langhout, William Lees, Xiaozhong Luo, Jaeger Mitchell, Nathan Muggli, Arun Nanda,
Rich Randall, Ullattil Shaji, Brett Shirley, Scott Turnbull, Andrea Weiss, Jeff Westhead, and BJ
Whalen.
We thank the following people for reviewing the guide and providing valuable feedback:
Laurie Brown, John Craddock, Robert DeLuca, Christoph Felix, Eric Fleischman, Guido
Grillenmeier, Mike Hickey, David Kayano, Alain Lissoir, Andreas Luther, Astrid McClean, Paul
Rich, Joe Richards, and David Trulli.

Overview
The Active Directory directory service is an integral component of network infrastructures that
are based on the Microsoft Windows Server Server 2003, Standard Edition; Windows
Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition, and
Windows 2000 Server, Windows 2000 Advanced Server, and Windows 2000 Datacenter
Server operating systems. Successful management of Active Directory environments requires
distribution of administrative responsibilities among multiple administrators according to
organizational, operational, legal, and administrative requirements. Having the necessary
background information, requirements, practices, and recommendations can help you delegate
administration to more securely and efficiently manage Active Directory services and data.

Abstract
Active Directory provides an enterprise-ready, scalable, distributed directory service that allows
organizations to centrally manage and share information about network resources and users, and
is at the heart of distributed network security in a Windows Serverbased enterprise. Active
Directory thus plays a major role in accomplishing the business goals of your organization, and
your ability to successfully manage Active Directory has a direct bearing on your ability to
accomplish these goals.
Delegation of administration, a key capability of Active Directory, provides a means to
successfully manage an Active Directory environment. This document discusses in depth the
issues involved in delegating administrative responsibilities, and can help you plan for,
implement, and maintain an administrative delegation model that allows secure and efficient
management of Active Directory.

Scope
This document provides all the information required to create, implement, and maintain a
security-conscious and efficient delegation model to manage your Active Directory
environments. This information includes an overview of delegation, in-depth explanations of the
rationale for delegation, technical descriptions of how delegation works in Active Directory,
processes for creating delegation models for both service and data management, the steps needed
to implement and maintain the models, and a detailed case study. Appendices to this document
provide an exhaustive reference, including a comprehensive list of Active Directory
administrative tasks and associated permissions required to delegate every administrative task in
Active Directory.
This document does not include Active Directory deployment instructions or recommendations.
For information about planning and deploying an Active Directory environment, see Designing
and Deploying Directory and Security Services of the Microsoft Windows Server 2003
Deployment Kit on the Web at http://go.microsoft.com/fwlink/?LinkID=4719.

Intended Audience
This document is intended for Information Technology (IT) professionals who are responsible
for managing an Active Directory environment. In most IT infrastructures that consist of multiple
integrated components and services, the responsibility to deliver a specific component or service
is typically entrusted to a component or service owner, who is responsible for the overall
delivery of the component or service.
Ownership of Active Directory environments should be entrusted to two specific owners or
owner groups, whose roles are typically strategic and managerial service owners and data
owners. Service owners and data owners have general, overriding responsibility for Active
Directory. These usually high-ranking managers are respectively responsible for ensuring
reliability and security in the delivery of the directory service and for managing the security of
Active Directory content. To that end, they are responsible for delegating and distributing among

their administrators responsibility for managing services and content. They do so by creating an
administrative delegation model, which documents the distribution of administrative
responsibilities among various administrative personnel.
Administrative responsibilities for delegating Active Directory management are divided
between:

Service owners, who are responsible for:

o Planning, deployment, and long-term maintenance of the Active Directory
infrastructure.
o Ensuring that the directory continues to function reliably and at the desired level
of security.
o Ensuring that the goals established in service-level agreements are maintained.

Data owners, who are responsible for maintaining the information that is stored in or
protected by the Active Directory directory service, including:
o Management of user and computer accounts.
o Management of local resources, such as member servers and workstations and the
data they store.

Service administrators, who represent the operational arm of service owners and are
responsible for carrying out the tasks that are required to maintain the delivery of the
directory service.

Data administrators, who represent the operational arm of data owners and are
responsible for carrying out the tasks that are required to manage the content that is
stored in or protected by Active Directory.

This document is intended for service and data owners to help them create a security conscious
and efficient administrative delegation model that is tailored to the specific requirements of their
organization. It is also intended for the service and data administrators who are responsible for
implementing the delegation model.
To accommodate the needs of these different stakeholders, the information in this document is
divided into four chapters, a case study and an extensive appendices, as follows:

Chapter 1: Delegation of Administration Overview

This chapter provides an overview of Active Directory management categories and
stakeholders and a roadmap for successfully managing delegation of administration in

Active Directory. It is targeted at all stakeholders involved in Active Directory

management.

Chapter 2: How Delegation Works in Active Directory

This chapter takes an in-depth look at how delegation of administration actually works in
Active Directory and presents all the technical aspects involved in delegation of
Administration. It contains a wealth of information that will be useful for all stakeholders
involved in Active Directory management.

Chapter 3: Delegating Service Management

This chapter presents an end-to-end perspective of Active Directory service management,
and provides guidance on how to create, implement, and maintain a secure and efficient
administrative delegation model for service management. It is targeted at Service Owners
and Service Administrators.

Chapter 4: Delegating Data Management

This chapter presents an end-to-end perspective of Active Directory data management,
and provides guidance on how to create, implement, and maintain a secure and efficient
administrative delegation model for data management. Though it is targeted at Data
Owners and Data Administrators, Service Owners and Service Administrators will also
benefit from the information in this chapter.

Case Study: A Delegation Scenario

The case study walks through the creation, implementation, and maintenance of an
administrative delegation model for a fictitious Active Directory environment based on
the recommendations presented in Chapters 3 and 4. While it is primarily targeted at
Service and Data administrators, service and data owners will also benefit from the casestudy.

Best Practices for Delegating Active Directory Administration: Appendices

The appendices contain step-by-step procedures to help you administer and maintain
Active Directory.