Managing authorizations in AD is often exhausting. It is not a complicated task, but it occurs frequently and one or the other would like to get rid of it. It would be great to simply delegate the AD group management, e.g. to helpdesk or even the operating departments. The requirements usually come from there.
Index
To delegate AD group management, we need to consider some criteria:
- Concept, what can I delegate
- Secure, delegate relevant groups only
- Deploy, establish technical solution
- Simplify, make sure that the user can use the solution
Manage AD groups with ADUC through Helpdesk
How can group processing be distributed using on-board resources, i.e. the Active Directory User Console (ADUC)?
Here is the problem:
There is no direct delegation of groups with users and computers. It is simply not intended.
If we want to delegate the access rights of each group e.g. to a helpdesk, you will have to isolate groups we want to delegate.
Easier said, we need an organizational unit (OU) because an OU can be delegated.
Example scenario
For a better understanding, let’s take the example of an IT administrator from a global company headquarters. He would like to delegate the administration of all groups to the respective IT-location. We limit ourselves to Germany as a location here.
In our sample organisation, the IT admin has an OU “Groups” for all authorization groups. In this group, he creates a sub-OUs for each location. Each of these sub-OUs only contains location groups we want to delegate. Here “DE Groups” for all groups related to Germany.
With this method, the IT admin can now delegate DE group management to a helpdesk. The next step is about the setup.
Set up the AD Delegation Wizard for group management
In the ADUC, there is the Active Directory Delegation of Control Wizard, shortly called Delegation Wizard . First, the IT admin selects the OU he wants to delegate to the helpdesk, in our example the “DE Groups”.
With a right click on the OU he selects “Delegate Control …” to start the wizard.
Now he decides which rights the helpdesk gets. What is needed:
- Create, delete, and manage groups
- Modify the membership of a group
With this solution, the IT admin can delegate the management of groups, but only to IT-related employees like helpdesk personell. The AD console isn’t easy to understand for non IT-employees and might be to complex and confusing to work with.
“Normal” employees must first have a good knowledge of group concepts and need a training period. There are alternative options for them (e.g. IDM-Portal).
OU-based group management through helpdesk
The helpdesk can now manage the groups in the shared OU (create, delete, change and add members).
However, the usability has some disadvantages for helpdesk users, because:
- It is confusing because relevant OUs and irrelevant OUs are visible (entire AD tree).
- It is not clear which objects can be edited.
- You have to try to change the group to find out (will show error message).
- It can only be managed with Windows Server access.
ADUC can be installed on Windows 10, but only from Windows 10 Pro
Summary:
With OU-based group delegation IT administrator save their own time. However, AD administration doesn’t necessarily get faster or better.
Delegate self-updating AD group management
How can delegation be implemented AND increase productivity?
The answer is automation of group memberships – and this relieves helpdesk and IT admins. But dynamic security groups that add and remove their members themselves must also be configured once. And this configuration can be handed over to helpdesk or distributed local IT staff.
(see also article: Automating group memberships)
DynamicGroup offers a delegation mode to enable group management for helpdesk or local IT staff. With DynamicGroup they can manage normal groups and dynamic groups.
This delegation mode is also based on OUs. You set up the “delegation role” natively using the AD Delegation Wizard – same way as described above. But there are some advantages doing it with Dynamic Group:
- Delegates only see OUs for which they have group permissions.
This improve the overview by hiding useless groups.The helpdesk only sees the OUs he can manage. In our example, the DE-Groups OU with your groups:
- Automatic groups can be created with all available functions, but the service can only be set up or changed by full-fledged admins.
- Only one permission is required for the delegation:
Create, delete, and manage groups. - You can also install and use the DynamicGroup Console on a normal Windows 10 client
With dynamic groups, productivity increases thanks to automation of group memberships.
In short:
Headquarter IT as well as local administrators / helpdesk are relieved thanks to automatic security groups. It may be worthwhile for the headquarters IT to delegate the creation and configuration of the dynamic groups to the respective location.
Hand AD groups administration to Non-IT staff
Both options are still not suitable for employees without AD knowledge.
Still, the administration of Active Directory groups can easily be handed over to department heads – even without special IT knowledge.
We, the makers of Active Directory FAQ have developed the IDM-Portal for this. It is an identity management solution, based directly on Active Directory.
The software is specially designed for delegation and self-service issues. Made with the user in mind it offers a particularly user-friendly interface.
Example
A typical example of such a delegation is a manager from a specialist department who has to manage certain departmental authorizations.
A departmental role that can process all relevant groups, is created.
The specialist department manager will see:
- available groups
- employees who can be managed
- only the information that is relevant and configured
Practically here:
We can change group memberships both from a group perspective and from a user perspective.
The manager can now add or remove users to a group – simply by ‘drag & drop’.
IDM-Portal delegation is organized in roles, directly in Active Directory.
Conclusion
Active Directory group management is time-consuming and technically complex. Delegation to helpdesk or non-IT employee is difficult or not possible. Plus, there is almost no possibilities to automate. Even by delegating with ADUC, Active Directory administration is still time-consuming. in the case of unfavorable processes and support of the delegates, it may even take longer than before.
With the help of dynamic groups (e.g. DynamicGroup) or user-friendly interfaces (e.g. IDM-Portal), you can delegate and automate AD group management – so that even non-IT employees can work with it.
To learn more about the different ways to simplify AD, please contact us.
FirstAttribute AG – Identity Management & IAM Cloud Services
We would be happy to present our services and solutions to you. Get in touch and find out how we can help you.
1 Comment
Leave your reply.