Chat now with support
Chat with Support

Active Roles 8.2.1 - Built-in Access Templates Reference Guide

Active Directory – Forest Configuration Operators Role ATs

To delegate forest configuration duties to operators within your organization, use the Access Templates (ATs) available under the Configuration > Access Templates > Active Directory > Best Practices for Delegating Active Directory Administration > Forest Configuration Operators Role container of the Active Roles Console.

Forest configuration operators typically perform the following duties in an Active Directory (AD) organization:

  • Add or remove top-level names and top-level name exclusions from a realm trust.

  • Enable or disable placing name suffix (that is, top-level name) information on a realm trust.

  • Modify the transitivity of a realm trust.

  • Change trust direction.

  • Create or delete trusts for all domains.

  • Force the removal of a trust.

  • Reset the trust passwords shared by a trust-pair.

  • Create child domains in an existing domain tree.

  • Demote the last Domain Controller (DC) in a child domain or forest-root domain.

  • Transfer or seize the domain naming master role.

  • Enable or disable name suffix routing for a specific suffix in a forest.

  • Enable or the disable the Security Identifier (SID) history in outbound forest trusts.

  • Enable or disable SID filtering.

  • Enable selective authentication on an outbound forest or external trust.

  • Raise the forest functional level.

  • Manage all LDAP query policy-related administrative tasks.

Table 5: Active Directory – Best Practices for Delegating Active Directory Administration: Forest Configuration Operators Role Access Templates

Access Template

Description

Forest Configuration Operators - Change Domain Master Management

Grants the following permissions, applied to all classes:

  • Modify the domain master.

  • Write the fSMORoleOwner attribute.

To delegate this AT, select the trustee(s), then apply it to the domain partitions container of your AD environment:

<forest-root-domain> > Configuration > Partitions

Forest Configuration Operators - Change Schema Master Management

Grants permission to modify the schema master.

To delegate this AT, select the trustee(s), then apply it to the domain schema container of your AD environment:

<forest-root-domain> > Configuration > Schema

IMPORTANT: When configuring this AT, always select the Propagate permissions to Active Directory option in the Permissions Propagation step of the Delegation of Control Wizard.

Figure 3: Delegation of Control Wizard – Permissions propagation

For more information on how to configure ATs for resource objects in your organization with the Active Roles Console, see Applying Access Templates in the Active Roles Administration Guide.

Forest Configuration Operators - Computer Object Creation

Grants permission to create computer objects in the forest, applied to all classes.

To delegate this AT, select the trustee(s), then apply it to the Domain Controllers container of your AD environment:

<domain> > Domain Controllers

This will apply the AT to every domain in your forest.

Forest Configuration Operators - Full Control for "Creator Owner"

Grants full permission to the Creator Owner role in your forest environment, applied to all classes.

To delegate this AT, select the trustee(s) you want to assign as Creator Owner(s), then apply the AT to the site configuration container:

<forest-root-domain> > Configuration > Sites

Forest Configuration Operators - Full Control on Computer Object

Grants full permission to perform domain configuration tasks on all computer objects.

To delegate this AT, select the trustee(s), then apply the AT on the computer object that will be promoted to Domain Controller (DC).

Forest Configuration Operators - NTDS Domain Controller Settings Management

Grants permission to write the queryPolicyObject attribute, applied to the NT Directory Services (NTDS) of the DC settings.

To delegate this AT, select the trustee(s), then apply it to the DC NTDS settings container of your AD environment:

<forest-root-domain> > Configuration > Sites > <site> > Servers > <domain-controller> > NTDS Settings

Forest Configuration Operators - NTDS Site Settings Management

Grants permission to write the queryPolicyObject attribute, applied to the NTDS site settings.

To delegate this AT, select the trustee(s), then apply it to the site NTDS settings container of your AD environment:

<forest-root-domain> > Configuration > Sites > <site> > NTDS Site Settings

Forest Configuration Operators - Query Policies Management

Grants the following permissions:

  • Create or delete Query Policy Objects, applied to all classes.

  • Write all properties of Query Policies.

To delegate this AT, select the trustee(s), then apply it to the site NTDS query policies container of your AD environment:

<forest-root-domain> > Configuration > Services > Windows NT > Directory Service > Query-Policies

Forest Configuration Operators - Replication Management

Grants the following forest-level configuration permissions:

  • Manage the replication topology, applied to all classes.
  • Replicate directory changes, applied to all classes
  • Monitor AD replication, applied to the Directory Management Domain (DMD).
  • Replicate all directory changes, applied to the DMD.

To delegate this AT, select the trustee(s), then apply the AT to the following AD container:

<forest-root-domain> > Configuration

NOTE: You must apply the permissions that are specified by this AT to the AD configuration schemas too. These are located in the following container:

<forest-root-domain> > Configuration > Schema

To apply the permissions to the Schema container, use native AD management tools, such as ADSI Edit.

Forest Configuration Operators - Server Object Creation

Grants permission to create all server child objects in the forest, applied to all classes.

To delegate this AT, select the trustee(s), then apply the AT to the AD server configuration container:

<forest-root-domain> > Configuration > Sites > <site> > Servers

Forest Configuration Operators - Site Objects - Read All Properties

Grants permission to read all site objects in the forest, applied to all classes.

To delegate this AT, select the trustee(s), then apply the AT to the AD site configuration container:

<forest-root-domain> > Configuration > Sites

Forest Configuration Operators - Trust Relationship Management

Grants the following permissions:

  • Create or delete Trusted Domain objects, applied to all classes.

  • Write all properties of Trusted Domains.

To delegate this AT, select the trustee(s), then apply it to the domain system container of every domain in your forest:

<domain> > System

Active Directory – Replication Management Admins Role ATs

To delegate replication management duties to administrators within your organization, use the Access Templates (ATs) available under the Configuration > Access Templates > Active Directory > Best Practices for Delegating Active Directory Administration > Replication Management Admins Role container of the Active Roles Console.

Replication management administrators typically perform the following duties in an Active Directory (AD) organization:

  • Create, add, rename, or delete sites.

  • Specify the location of a site.

  • Create, add, or delete subnets.

  • Specify the location of a subnet.

  • Associate a subnet with a site.

  • Create or delete site links.

  • Add or remove sites to or from a site link.

  • Modify the cost, replication period or replication schedule associated with a site link.

  • Create or delete a site link bridge (object).

  • Add or remove sites to or from a site link bridge.

  • Create a single bridge for the entire network.

  • Turn off the Bridge all site links option for IP/SMTP transport.

  • Create or delete connections on demand.

  • Take ownership of a Knowledge Consistency Checker (KCC) generated connection object.

  • Manually set a schedule for connection objects.

  • Enable or disable data compression for inter-site replication.

  • Change the default setting for the intra-site replication schedule within a site.

  • Designate or dismiss a preferred bridgehead server.

  • Replace a failed preferred bridgehead server.

  • Force replication or synchronization between two servers.

  • Disable automatic topology generation or automatic cleanup for a site.

  • Disable minimum hops topology for a site.

  • Disable automatic stale server detection or automatic inter-site topology generation for a site.

  • Disable inbound or outbound replication on a Domain Controller (DC).

  • Enable reciprocal replication or change notification between sites (only for IP transport links).

  • Force replication topology generation.

Table 6: Active Directory – Best Practices for Delegating Active Directory Administration: Replication Management Admins Role Access Templates

Access Template

Description

Replication Management Admins - Inter-Site Transports Management

Grants the following permissions:

  • Create or delete Site Link objects, applied to all classes.

  • Write all properties of Site Links.

To delegate this AT, select the trustee(s), then apply it to the inter-site transport container of the forest root domain:

<forest-root-domain> > Configuration > Sites > Inter-Site Transports

Replication Management Admins - Replication Topology Management

Grants permission to manage replication topology, applied to all classes.

To delegate this AT, select the trustee(s), then apply it to the following AD containers:

  • <forest-root-domain> > Configuration
  • Every domain in the forest, including the forest root domain.

NOTE: You must apply the permissions that are specified by this AT to the AD configuration schemas too. These are located in the following container:

<forest-root-domain> > Configuration > Schema

To apply the permissions to the Schema container, use native AD management tools, such as ADSI Edit.

Replication Management Admins - Site Management

Grants the following permissions, applied to all classes:

  • Write all site properties.

  • Create or delete connection objects.

  • Create or delete site objects.

To delegate this AT, select the trustee(s), then apply it to the site configuration container of the forest root domain:

<forest-root-domain> > Configuration > Sites

Replication Management Admins - Subnet Management

Grants the following permissions:

  • Create or delete subnet objects, applied to all classes.

  • Write all subnet object properties.

To delegate this AT, select the trustee(s), then apply it to the subnet configuration container of the forest root domain:

<forest-root-domain> > Configuration > Sites > Subnets

Active Directory – Replication Monitoring Operators Role ATs

To delegate replication monitoring duties to operators within your organization, use the Access Templates (ATs) available under the Configuration > Access Templates > Active Directory > Best Practices for Delegating Active Directory Administration > Replication Monitoring Operators Role container of the Active Roles Console.

Replication monitoring operators typically perform the following duties in an Active Directory (AD) organization:

  • Check replication status.

  • Get replication latency and summary information.

  • Get the pending operations on a Domain Controller (DC).

Table 7: Active Directory – Best Practices for Delegating Active Directory Administration: Replication Monitoring Operators Role Access Templates

Access Template

Description

Replication Monitoring Operators - Windows 2000

Grants permission to manage replication topology, applied to all classes.

NOTE: Use this AT to configure replication monitoring in Windows 2000 AD environments.

To delegate this AT, select the trustee(s), then apply it to the following AD containers:

  • <forest-root-domain> > Configuration
  • Every domain in the forest, including the forest root domain.

NOTE: You must apply the permissions that are specified by this AT to the AD configuration schemas too. These are located in the following container:

<forest-root-domain> > Configuration > Schema

To apply the permissions to the Schema container, use native AD management tools, such as ADSI Edit.

Replication Monitoring Operators - Windows Server 2003

Grants permission to monitor AD replication, applied to the Directory Management Domain (DMD).

NOTE: Use this AT to configure replication monitoring in Windows Server 2003 Active Directory environments.

To delegate this AT, select the trustee(s), then apply it to the following AD containers:

  • <forest-root-domain> > Configuration
  • Every domain in the forest, including the forest root domain.

NOTE: You must apply the permissions that are specified by this AT to the AD configuration schemas too. These are located in the following container:

<forest-root-domain> > Configuration > Schema

To apply the permissions to the Schema container, use native AD management tools, such as ADSI Edit.

Active Directory – Service Admin Managers Role ATs

To delegate service administrator duties within your organization, use the Access Templates (ATs) available under the Configuration > Access Templates > Active Directory > Best Practices for Delegating Active Directory Administration > Service Admin Managers Role container of the Active Roles Console.

Service administrators typically manage and protect the following resources in a forest:

  • All service administrator security groups.
  • All service administrator accounts.
Table 8: Active Directory – Best Practices for Delegating Active Directory Administration: DNS Admins Role Access Templates

Access Template

Description

Service Admin Managers - Admin SD Holder Management

Grants full service administrator permissions, applied to all classes.

To delegate this AT, select the trustee(s), then apply it to the AdminSDHolder container of every domain in your forest:

<domain> > System > AdminSDHolder

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating