Domain Configuration Operators
The following is the set of administrative tasks assigned to this role:
- Create a replica (additional domain controller)
- Remove a replica
- Designate a domain controller as a global catalog
- Un-designate a domain controller as a global catalog
- Rename a domain controller
- Raise domain functional level
- Create a replica (additional domain controller)
- Remove a replica
- Transfer the RID master role
- Transfer the PDC emulator master role
- Transfer the infrastructure master role
- Seize the RID master role
- Seize the PDC emulator master role
- Seize the infrastructure master role
- Protect and manage the default domain controllers OU
- Protect and manage the content stored in the System container
- Restore Active Directory from backup
To implement the Domain Configuration Operators role, Active Roles offers the following Access Templates, located in the Domain Configuration Operators Role subfolder of the Access Templates/Active Directory/Best Practices for Delegating Active Directory Administration folder.
Table 2: Domain Configuration Operators
|
Domain Configuration Operators - Domain Controllers OU Management |
Permissions:
- Full Control, applied to All Classes
Apply this Access Template on:
- <Domain>/Domain Controllers
|
|
Domain Configuration Operators - Domain Management |
Permissions:
- Add/Remove Replica In Domain, applied to All Classes
- Change Infrastructure Master, applied to All Classes
- Change PDC, applied to All Classes
- Write fSMORoleOwner, applied to All Classes
- Write msDS-Behavior-Version, applied to All Classes
Apply this Access Template on:
|
|
Domain Configuration Operators - Full Control for "Creator Owner" |
Permissions:
- Full Control, applied to All Classes
Select Creator Owner as Trustee, and apply this Access Template on:
- <Forest-Root-Domain>/Configuration/Sites
|
|
Domain Configuration Operators - Full Control on Computer Object |
Permissions:
- Full Control, applied to Computer
Apply this Access Template on:
- Computer object representing the server that is to be promoted to domain controller
|
|
Domain Configuration Operators - Infrastructure Master Management |
Permissions:
- Write fSMORoleOwner, applied to All Classes
- Change Infrastructure Master, applied to All Classes
Apply this Access Template on:
|
|
Domain Configuration Operators - Replication Management |
Permissions:
- Manage Replication Topology, applied to All Classes
- Replicating Directory Changes, applied to All Classes
- Monitor Active Directory Replication, applied to DMD
- Replicating Directory Changes All, applied to DMD
Apply this Access Template on:
- <Domain>
- <Forest-Root-Domain>/Configuration
The permissions specified by this Access Template must also be applied on:
- <Forest-Root-Domain>/Configuration/Schema
You can do this using native AD management tools, such as the ADSI Edit tool. |
|
Domain Configuration Operators - RID Master Management |
Permissions:
- Change Rid Master, applied to All Classes
- Write fSMORoleOwner, applied to All Classes
Apply this Access Template on:
- <Domain>/System/RID Manager$
|
|
Domain Configuration Operators - Server Object Creation |
Permissions:
- Create All Child Objects, applied to All Classes
Apply this Access Template on:
- <Forest-Root-Domain>/ Configuration/Sites/<Site>/Servers
|
|
Domain Configuration Operators - Site Objects - Read All Properties |
Permissions:
- Read All Properties, applied to All Classes
Apply this Access Template on:
- <Forest-Root-Domain>/Configuration/Sites
|
|
Domain Configuration Operators - System Container Management |
Permissions:
- Full Control, applied to All Classes
Apply this Access Template on:
|
Service Admin Managers
The following is the set of administrative tasks assigned to this role:
- Manage and protect all service administrator security groups in the forest
- Manage and protect all service administrator accounts in the forest
To implement the Service Admin Managers role, Active Roles offers the following Access Templates, located in the Service Admin Managers Role subfolder of the Access Templates/Active Directory/Best Practices for Delegating Active Directory Administration folder.
Table 3: Service Admin Managers
|
Service Admin Managers - Admin SD Holder Management |
Permissions:
- Full Control, applied to All Classes
Apply this Access Template on:
- <Domain>/System/AdminSDHolder (for every domain in the forest)
|
Replication Management Admins
The following is the set of administrative tasks assigned to this role:
- Create a site and add a site
- Rename a site
- Specify the location of a site
- Delete a site
- Create a subnet and add a subnet
- Specify the location of a subnet
- Associate a subnet with a site
- Delete a subnet
- Create a site link
- Add or remove sites to and from a site link
- Modify the cost associated with a site link
- Modify the replication period associated with a site link
- Modify the replication schedule for a site link
- Delete a site link
- Create a site link bridge (object)
- Add or remove sites to and from a site link bridge
- Create a single bridge for the entire network
- Turn off the “Bridge all site links” option for IP/SMTP transport
- Delete a site link bridge (object)
- Create a connection (only if needed)
- Delete a connection (only if needed)
- Take ownership of a KCC-generated connection object
- Manually set a schedule for connection objects
- Enable and disable data compression for inter-site replication
- Change the default setting for the intra-site replication schedule within a site
- Designate or remove a preferred bridgehead server
- Replace a failed preferred bridgehead server
- Force replication between two servers
- Force a synchronization between two servers
- Disable automatic topology generation for a site
- Disable automatic topology cleanup for a site
- Disable minimum hops topology for a site
- Disable automatic stale server detection for a site
- Disable automatic inter-site topology generation for a site
- Disable inbound replication on a domain controller
- Disable outbound replication on a domain controller
- Enable reciprocal replication between sites (only for IP transport links)
- Enable change notification between sites (only for IP transport links)
- Force replication topology generation
To implement the Replication Management Admins role, Active Roles offers the following Access Templates, located in the Replication Management Admins Role subfolder of the Access Templates/Active Directory/Best Practices for Delegating Active Directory Administration folder.
Table 4: Replication Management Admins
|
Replication Management Admins - Inter-Site Transports Management |
Permissions:
- Create/Delete Site Links Objects, applied to All Classes
- Write All Properties, applied to Site Link
Apply this Access Template on:
- <Forest-Root-Domain>/Configuration/Sites/Inter-Site Transports
|
|
Replication Management Admins - Replication Topology Management |
Permissions:
- Manage Replication Topology, applied to All Classes
Apply this Access Template on:
- <Forest-Root-Domain>/Configuration
- <Domain> (for every domain in the forest, including the forest root domain)
NOTE: The permissions specified by this Access Template must also be applied on:
- <Forest-Root-Domain>/Configuration/Schema
You can do this using native AD management tools, such as the ADSI Edit tool. |
|
Replication Management Admins - Site Management |
Permissions:
- Write All Properties, applied to All Classes
- Create/Delete Connection Objects, applied to All Classes
- Create/Delete Site Objects, applied to All Classes
Apply this Access Template on:
- <Forest-Root-Domain>/Configuration/Sites
|
|
Replication Management Admins - Subnet Management |
Permissions:
- Create/Delete Subnet Objects, applied to All Classes
- Write All Properties, applied to Subnet
Apply this Access Template on:
- <Forest-Root-Domain>/Configuration/Sites/Subnets
|
Replication Monitoring Operators
The following is the set of administrative tasks assigned to this role:
- Get replication latency information
- Get pending operations on a domain controller
- Get replication summary information
- Check replication status
To implement the Replication Monitoring Operators role, Active Roles offers the following Access Templates, located in the Replication Monitoring Operators Role subfolder of the Access Templates/Active Directory/Best Practices for Delegating Active Directory Administration folder.
Table 5: Replication Monitoring Operators
|
Replication Monitoring Operators - Windows 2000 |
This Access Template is to be used in Windows 2000 Active Directory environments.
Permissions:
- Manage Replication Topology, applied to All Classes
Apply this Access Template on:
- <Forest-Root-Domain>/Configuration
- <Domain> (for every domain in the forest, including the forest root domain)
NOTE: The permissions specified by this Access Template must also be applied on:
- <Forest-Root-Domain>/Configuration/Schema
You can do this using native AD management tools, such as the ADSI Edit tool. |
|
Replication Monitoring Operators - Windows Server 2003 |
This Access Template is to be used in Windows Server 2003 Active Directory environments.
Permissions:
- Monitor Active Directory Replication, applied to DMD
Apply this Access Template on:
- <Forest-Root-Domain>/Configuration
- <Domain> (for every domain in the forest, including the forest root domain)
NOTE: The permissions specified by this Access Template must also be applied on:
- <Forest-Root-Domain>/Configuration/Schema
You can do this using native AD management tools, such as the ADSI Edit tool. |
