Rollenmanagement Active Directory

Rollenmanagement Active Directory

Allgemein

Administrative Rechte delegieren

Wer sich mit der Delegierung von Rechten im Active Directory beschäftigt, weiß wie anstrengend es sein kann, sich zu überlegen, wer welche Rechte erhalten soll.

Ein Domänen-Admin muss nicht alles alleine stemmen. Die Verwaltung bzw. Administration sollte auf mehreren Schultern verteilt werden.

Hier ein paar Beispiele wie die zu vergebenen Rollen aussehen könnten. Ich hatte mir diese mal vor langer Zeit zusammengetragen.

Konten Administrator

  • Create user accounts
  • Delete user accounts
  • Move user accounts
  • Reset a users password
  • Unlock user accounts
  • Modify user account
  • Authorize access to user and group accounts
  • Link GPOs to user account OUs

Workstation Administrator

  • Create computer accounts
  • Delete computer accounts
  • Move computer accounts
  • Link GPOs to computer account OUs
  • Have membership in local Administrators group
  • Have permission to control workstation remotely

Server Administrator

  • Create computer accounts
  • Delete computer accounts
  • Move computer accounts
  • Link GPOs to computer account OUs
  • Have membership in local Administrators group
  • Have permission to control workstation remotely

Ressourcen Administrator

  • Control access to data
  • Control service and service account on server
  • Control application on server

Sicherheitsgruppen Administrator

  • Create security groups
  • Modify the membership of security groups
  • Delete security groups

Help Desk 

  • Reset passwords on user accounts
  • Unlock user accounts
  • Control non security related user account properties

Forest-Konfigurations-Administrator

  • Creating and deleting child domains
  • Creating, deleting, and managing all trust relationships for the forest
  • Creating, deleting, and managing cross-reference objects
  • Transferring and seizing the forest-wide operations master roles
  • Raising the forest functional level

Domänen-Konfigurations-Administrator

  • Managing replica domain controllers
  • Managing operations master roles
  • Managing the default Domain Controllers OU
  • Managing the content stored in the System container
  • Restoring AD from backup when required

Sicherheitsrichtlinien Administrator

  • Managing Password policy settings
  • Managing Account Lockout settings
  • Managing Kerberos Policy settings

Service Administrator

  • Managing service administration user accounts
  • Managing service administration security groups

Domain Controller Administrators

  • Managing software
  • Managing service packs and security updates
  • Managing GPO settings, for both security and control
  • Managing event logs
  • Managing directory service files and Sysvol

Replikations-Administrator

  • Managing sites
  • Managing subnets
  • Managing site links and site-link bridges
  • Managing the replication schedule and replication interval on site links
  • Managing manual site connections

DNS Administrator

  • Installing the DNS Server service on domain controllers
  • Managing and configuring DNS recursion methods
  • Managing forest-wide zones
  • Managing DNS application partitions

Natürlich müssen auch diese ganzen Administratoren überwacht werden. Dazu setze ich sehr gerne das Tool ADAudit Plus von Mangage Engine ein.

ADAudit Plus Datenbank Migration PostgreSQL zu MSSQL

Bild von Gerd Altmann auf Pixabay