Introduction
Active Roles (formerly known as ActiveRoles®) comes with an extensive suite of predefined Access Templates that facilitate the delegation of various administrative tasks. The key goal for Access Templates is to simplify the management of administration related permissions. Active Roles does this by abstracting the low-level permissions on directory objects and managing them as a single unit—Access Template—based on the task that an administrator wants to delegate.
The predefined Access Templates are installed with Active Roles out of the box. These templates allow the Active Roles administrator to delegate the correct level of administrative authority quickly and consistently.
This document provides a comprehensive list of Access Templates that install with Active Roles out of the box.
Access Templates
The predefined Access Templates are grouped by category into the following containers:
These containers are located in the Configuration/Access Templates container. Some of these containers include the Advanced sub-container to hold Access Templates with very granular permission specifications.
The tables below group Access Template by category, and include the following information on each Access Template:
- Access Template Access Template name.
- Description Tasks that can be delegated with the Access Template.
Active Directory Service Management
You can use Access Templates in this category to delegate management tasks on the directory service. Access Templates are grouped by role for delegating service management as follows:
- Forest Configuration Operators
- Domain Configuration Operators
- Service Admin Managers
- Replication Management Admins
- Replication Monitoring Operators
Engineered by Microsoft, these role recommendations take into account well-defined sets of logically related administrative tasks and the security sensitivity and impact of these tasks (see Best Practices for Delegating Active Directory Administration at http://technet.microsoft.com/en-us/library/cc773318.aspx).
The service management-related Access Templates are located in subfolders of the folder Configuration/Access Templates/Active Directory/Best Practices for Delegating Active Directory Administration, with each subfolder containing the Access Templates specific to a certain role.
To implement a given role, you must apply each of the role-specific Access Templates as specified in the description of the Template. For example, to implement the Forest Configuration Operators role for a certain group, you must select the group as a Trustee and then apply the Access Templates held in the Forest Configuration Operators subfolder.
|
IMPORTANT:
- When applying service management-related Access Templates, you must select the Propagate permissions to Active Directory check box on the Permissions Propagation page in the Delegation of Control Wizard. This ensures the appropriate permission entries are added to Active Directory.
- As Active Roles does not provide the ability to apply Access Templates to the Schema container, you should use native tools, such as ADSI Edit, to apply permissions to that container as appropriate. For details, see descriptions of the Access Templates later this section.
|
Forest Configuration Operators
The following is the set of administrative tasks assigned to this role:
- Create a child domain in an existing domain tree
- Demote the last domain controller in a child domain
- Demote the last domain controller in a tree-root domain
- Raise forest functional level
- Create all types of trusts for all domains
- Delete all types of trusts for all domains
- Change the direction of a trust
- Enable/disable name suffix routing (for a given suffix) in a forest
- Reset the trust passwords shared by a trust-pair
- Force the removal of a trust
- Enable/disable SID History on an outbound forest trust
- Enable/disable SID filtering
- Enable selective authentication on an outbound forest/external trust
- Enable/disable placing of name suffix (top level names) information on a realm trust
- Add/remove top-level names from a realm trust
- Add/remove top-level name exclusions from a realm trust
- Modify the transitivity of a realm-trust
- Transfer the domain naming master role
- Seize the domain naming master role
- Manage all LDAP query policy related administrative tasks
To implement the Forest Configuration Operators role, Active Roles offers the following Access Templates, located in the Forest Configuration Operators Role subfolder of the Access Templates/Active Directory/Best Practices for Delegating Active Directory Administration folder.
Table 1: Forest Configuration Operators
Forest Configuration Operators - Change Domain Master Management |
Permissions:
- Change Domain Master, applied to All Classes
- Write fSMORoleOwner, applied to All Classes
Apply this Access Template on:
- <Forest-Root-Domain>/Configuration/Partitions
|
Forest Configuration Operators - Computer Object Creation |
Permissions:
- Create Computer Objects, applied to All Classes
Apply this Access Template on:
- <Domain>/Domain Controllers (for every domain in the forest)
|
Forest Configuration Operators - Full Control for "Creator Owner" |
Permissions:
- Full Control, applied to All Classes
Select Creator Owner as Trustee, and apply this Access Template on:
- <Forest-Root-Domain>/Configuration/Sites
|
Forest Configuration Operators - Full Control on Computer Object |
Permissions:
- Full Control, applied to Computer
Apply this Access Template on:
- Computer object representing the server that is to be promoted to domain controller
|
Forest Configuration Operators - NTDS Domain Controller Settings Management |
Permissions:
- Write queryPolicyObject, applied to Domain Controller Settings
Apply this Access Template on:
- <Forest-Root-Domain>/ Configuration/Sites/<Site>/Servers/<Domain Controller>/NTDS Settings
|
Forest Configuration Operators - NTDS Site Settings Management |
Permissions:
- Write queryPolicyObject, applied to Site Settings
Apply this Access Template on:
- <Forest-Root-Domain>/Configuration/Sites/<Site>/NTDS Site Settings
|
Forest Configuration Operators - Query Policies Management |
Permissions:
- Create/Delete Query Policy Objects, applied to All Classes
Write All Properties, applied to Query Policy
- Apply this Access Template on:
<Forest-Root-Domain>/ Configuration/Services/Windows NT/Directory Service/Query-Policies |
Forest Configuration Operators - Replication Management |
Permissions:
- Manage Replication Topology, applied to All Classes
- Replicating Directory Changes, applied to All Classes
- Monitor Active Directory Replication, applied to DMD
- Replicating Directory Changes All, applied to DMD
Apply this Access Template on:
- <Forest-Root-Domain>/Configuration
The permissions specified by this Access Template must also be applied on:
- <Forest-Root-Domain>/Configuration/Schema
You can do this using native AD management tools, such as the ADSI Edit tool. |
Forest Configuration Operators - Server Object Creation |
Permissions:
- Create All Child Objects, applied to All Classes
Apply this Access Template on:
- <Forest-Root-Domain>/ Configuration/Sites/<Site>/Servers
|
Forest Configuration Operators - Site Objects - Read All Properties |
Permissions:
- Read All Properties, applied to All Classes
Apply this Access Template on:
- <Forest-Root-Domain>/Configuration/Sites
|
Forest Configuration Operators - Trust Relationship Management |
Permissions:
- Create/Delete Trusted Domain Objects, applied to All Classes
Write All Properties, applied to Trusted Domain
- Apply this Access Template on:
<Domain>/System (for every domain in the forest) |