Active Roles comes with an extensive suite of predefined Access Templates that facilitate the delegation of various administrative tasks. The key goal for Access Templates is to simplify the management of administration related permissions. Active Roles does this by abstracting the low-level permissions on directory objects and managing them as a single unit—Access Template—based on the task that an administrator wants to delegate.
The predefined Access Templates are installed with Active Roles out of the box. These templates allow the Active Roles administrator to delegate the correct level of administrative authority quickly and consistently.
This document provides a comprehensive list of Access Templates that install with Active Roles out of the box.
The predefined Access Templates are grouped by category into the following containers:
These containers are located in the Configuration/Access Templates container. Some of these containers include the Advanced sub-container to hold Access Templates with very granular permission specifications.
The tables below group Access Template by category, and include the following information on each Access Template:
You can use Access Templates in this category to delegate management tasks on the directory service. Access Templates are grouped by role for delegating service management as follows:
Engineered by Microsoft, these role recommendations take into account well-defined sets of logically related administrative tasks and the security sensitivity and impact of these tasks (see Best Practices for Delegating Active Directory Administration at http://technet.microsoft.com/en-us/library/cc773318.aspx).
The service management-related Access Templates are located in subfolders of the folder Configuration/Access Templates/Active Directory/Best Practices for Delegating Active Directory Administration, with each subfolder containing the Access Templates specific to a certain role.
To implement a given role, you must apply each of the role-specific Access Templates as specified in the description of the Template. For example, to implement the Forest Configuration Operators role for a certain group, you must select the group as a Trustee and then apply the Access Templates held in the Forest Configuration Operators subfolder.
|
IMPORTANT:
|
The following is the set of administrative tasks assigned to this role:
To implement the Forest Configuration Operators role, Active Roles offers the following Access Templates, located in the Forest Configuration Operators Role subfolder of the Access Templates/Active Directory/Best Practices for Delegating Active Directory Administration folder.
Access Template |
Description |
Forest Configuration Operators - Change Domain Master Management |
Permissions:
Apply this Access Template on:
|
Forest Configuration Operators - Computer Object Creation |
Permissions:
Apply this Access Template on:
|
Forest Configuration Operators - Full Control for "Creator Owner" |
Permissions:
Select Creator Owner as Trustee, and apply this Access Template on:
|
Forest Configuration Operators - Full Control on Computer Object |
Permissions:
Apply this Access Template on:
|
Forest Configuration Operators - NTDS Domain Controller Settings Management |
Permissions:
Apply this Access Template on:
|
Forest Configuration Operators - NTDS Site Settings Management |
Permissions:
Apply this Access Template on:
|
Forest Configuration Operators - Query Policies Management |
Permissions:
Write All Properties, applied to Query Policy
<Forest-Root-Domain>/ Configuration/Services/Windows NT/Directory Service/Query-Policies |
Forest Configuration Operators - Replication Management |
Permissions:
Apply this Access Template on:
The permissions specified by this Access Template must also be applied on:
You can do this using native AD management tools, such as the ADSI Edit tool. |
Forest Configuration Operators - Server Object Creation |
Permissions:
Apply this Access Template on:
|
Forest Configuration Operators - Site Objects - Read All Properties |
Permissions:
Apply this Access Template on:
|
Forest Configuration Operators - Trust Relationship Management |
Permissions:
Write All Properties, applied to Trusted Domain
<Domain>/System (for every domain in the forest) |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy