Chat now with support
Chat with Support

Active Roles 7.2.1 - Access Templates Available out of the Box

Domain Configuration Operators

Access Templates > Active Directory Service Management > Domain Configuration Operators

The following is the set of administrative tasks assigned to this role:

  • Create a replica (additional domain controller)
  • Remove a replica
  • Designate a domain controller as a global catalog
  • Un-designate a domain controller as a global catalog
  • Rename a domain controller
  • Raise domain functional level
  • Create a replica (additional domain controller)
  • Remove a replica
  • Transfer the RID master role
  • Transfer the PDC emulator master role
  • Transfer the infrastructure master role
  • Seize the RID master role
  • Seize the PDC emulator master role
  • Seize the infrastructure master role
  • Protect and manage the default domain controllers OU
  • Protect and manage the content stored in the System container
  • Restore Active Directory from backup

To implement the Domain Configuration Operators role, Active Roles offers the following Access Templates, located in the Domain Configuration Operators Role subfolder of the Access Templates/Active Directory/Best Practices for Delegating Active Directory Administration folder.

Table 2: Domain Configuration Operators

Access Template

Description

Domain Configuration Operators - Domain Controllers OU Management

Permissions:

  • Full Control, applied to All Classes

Apply this Access Template on:

  • <Domain>/Domain Controllers

Domain Configuration Operators - Domain Management

Permissions:

  • Add/Remove Replica In Domain, applied to All Classes
  • Change Infrastructure Master, applied to All Classes
  • Change PDC, applied to All Classes
  • Write fSMORoleOwner, applied to All Classes
  • Write msDS-Behavior-Version, applied to All Classes

Apply this Access Template on:

  • <Domain>

Domain Configuration Operators - Full Control for "Creator Owner"

Permissions:

  • Full Control, applied to All Classes

Select Creator Owner as Trustee, and apply this Access Template on:

  • <Forest-Root-Domain>/Configuration/Sites

Domain Configuration Operators - Full Control on Computer Object

Permissions:

  • Full Control, applied to Computer

Apply this Access Template on:

  • Computer object representing the server that is to be promoted to domain controller

Domain Configuration Operators - Infrastructure Master Management

Permissions:

  • Write fSMORoleOwner, applied to All Classes
  • Change Infrastructure Master, applied to All Classes

Apply this Access Template on:

  • <Domain>/Infrastructure

Domain Configuration Operators - Replication Management

Permissions:

  • Manage Replication Topology, applied to All Classes
  • Replicating Directory Changes, applied to All Classes
  • Monitor Active Directory Replication, applied to DMD
  • Replicating Directory Changes All, applied to DMD

Apply this Access Template on:

  • <Domain>
  • <Forest-Root-Domain>/Configuration

The permissions specified by this Access Template must also be applied on:

  • <Forest-Root-Domain>/Configuration/Schema

You can do this using native AD management tools, such as the ADSI Edit tool.

Domain Configuration Operators - RID Master Management

Permissions:

  • Change Rid Master, applied to All Classes
  • Write fSMORoleOwner, applied to All Classes

Apply this Access Template on:

  • <Domain>/System/RID Manager$

Domain Configuration Operators - Server Object Creation

Permissions:

  • Create All Child Objects, applied to All Classes

Apply this Access Template on:

  • <Forest-Root-Domain>/ Configuration/Sites/<Site>/Servers

Domain Configuration Operators - Site Objects - Read All Properties

Permissions:

  • Read All Properties, applied to All Classes

Apply this Access Template on:

  • <Forest-Root-Domain>/Configuration/Sites

Domain Configuration Operators - System Container Management

Permissions:

  • Full Control, applied to All Classes

Apply this Access Template on:

  • <Domain>/System

Service Admin Managers

The following is the set of administrative tasks assigned to this role:

  • Manage and protect all service administrator security groups in the forest
  • Manage and protect all service administrator accounts in the forest

To implement the Service Admin Managers role, Active Roles offers the following Access Templates, located in the Service Admin Managers Role subfolder of the Access Templates/Active Directory/Best Practices for Delegating Active Directory Administration folder.

Table 3: Service Admin Managers

Access Template

Description

Service Admin Managers - Admin SD Holder Management

Permissions:

  • Full Control, applied to All Classes

Apply this Access Template on:

  • <Domain>/System/AdminSDHolder (for every domain in the forest)

Replication Management Admins

Access Templates > Active Directory Service Management > Replication Management Admins

The following is the set of administrative tasks assigned to this role:

  • Create a site and add a site
  • Rename a site
  • Specify the location of a site
  • Delete a site
  • Create a subnet and add a subnet
  • Specify the location of a subnet
  • Associate a subnet with a site
  • Delete a subnet
  • Create a site link
  • Add or remove sites to and from a site link
  • Modify the cost associated with a site link
  • Modify the replication period associated with a site link
  • Modify the replication schedule for a site link
  • Delete a site link
  • Create a site link bridge (object)
  • Add or remove sites to and from a site link bridge
  • Create a single bridge for the entire network
  • Turn off the “Bridge all site links” option for IP/SMTP transport
  • Delete a site link bridge (object)
  • Create a connection (only if needed)
  • Delete a connection (only if needed)
  • Take ownership of a KCC-generated connection object
  • Manually set a schedule for connection objects
  • Enable and disable data compression for inter-site replication
  • Change the default setting for the intra-site replication schedule within a site
  • Designate or remove a preferred bridgehead server
  • Replace a failed preferred bridgehead server
  • Force replication between two servers
  • Force a synchronization between two servers
  • Disable automatic topology generation for a site
  • Disable automatic topology cleanup for a site
  • Disable minimum hops topology for a site
  • Disable automatic stale server detection for a site
  • Disable automatic inter-site topology generation for a site
  • Disable inbound replication on a domain controller
  • Disable outbound replication on a domain controller
  • Enable reciprocal replication between sites (only for IP transport links)
  • Enable change notification between sites (only for IP transport links)
  • Force replication topology generation

To implement the Replication Management Admins role, Active Roles offers the following Access Templates, located in the Replication Management Admins Role subfolder of the Access Templates/Active Directory/Best Practices for Delegating Active Directory Administration folder.

Table 4: Replication Management Admins

Access Template

Description

Replication Management Admins - Inter-Site Transports Management

Permissions:

  • Create/Delete Site Links Objects, applied to All Classes
  • Write All Properties, applied to Site Link

Apply this Access Template on:

  • <Forest-Root-Domain>/Configuration/Sites/Inter-Site Transports

Replication Management Admins - Replication Topology Management

Permissions:

  • Manage Replication Topology, applied to All Classes

Apply this Access Template on:

  • <Forest-Root-Domain>/Configuration
  • <Domain> (for every domain in the forest, including the forest root domain)

NOTE: The permissions specified by this Access Template must also be applied on:

  • <Forest-Root-Domain>/Configuration/Schema

You can do this using native AD management tools, such as the ADSI Edit tool.

Replication Management Admins - Site Management

Permissions:

  • Write All Properties, applied to All Classes
  • Create/Delete Connection Objects, applied to All Classes
  • Create/Delete Site Objects, applied to All Classes

Apply this Access Template on:

  • <Forest-Root-Domain>/Configuration/Sites

Replication Management Admins - Subnet Management

Permissions:

  • Create/Delete Subnet Objects, applied to All Classes
  • Write All Properties, applied to Subnet

Apply this Access Template on:

  • <Forest-Root-Domain>/Configuration/Sites/Subnets

Replication Monitoring Operators

Access Templates > Active Directory Service Management > Replication Monitoring Operators

The following is the set of administrative tasks assigned to this role:

  • Get replication latency information
  • Get pending operations on a domain controller
  • Get replication summary information
  • Check replication status

To implement the Replication Monitoring Operators role, Active Roles offers the following Access Templates, located in the Replication Monitoring Operators Role subfolder of the Access Templates/Active Directory/Best Practices for Delegating Active Directory Administration folder.

Table 5: Replication Monitoring Operators

Access Template

Description

Replication Monitoring Operators - Windows 2000

This Access Template is to be used in Windows 2000 Active Directory environments.

Permissions:

  • Manage Replication Topology, applied to All Classes

Apply this Access Template on:

  • <Forest-Root-Domain>/Configuration
  • <Domain> (for every domain in the forest, including the forest root domain)

NOTE: The permissions specified by this Access Template must also be applied on:

  • <Forest-Root-Domain>/Configuration/Schema

You can do this using native AD management tools, such as the ADSI Edit tool.

Replication Monitoring Operators - Windows Server 2003

This Access Template is to be used in Windows Server 2003 Active Directory environments.

Permissions:

  • Monitor Active Directory Replication, applied to DMD

Apply this Access Template on:

  • <Forest-Root-Domain>/Configuration
  • <Domain> (for every domain in the forest, including the forest root domain)

NOTE: The permissions specified by this Access Template must also be applied on:

  • <Forest-Root-Domain>/Configuration/Schema

You can do this using native AD management tools, such as the ADSI Edit tool.

Related Documents