Chat now with support
与支持团队交流

Active Roles 7.3.3 - Access Templates Available out of the Box

Introduction

Introduction

Active Roles (formerly known as ActiveRoles®) comes with an extensive suite of predefined Access Templates that facilitate the delegation of various administrative tasks. The key goal for Access Templates is to simplify the management of administration related permissions. Active Roles does this by abstracting the low-level permissions on directory objects and managing them as a single unit—Access Template—based on the task that an administrator wants to delegate.

The predefined Access Templates are installed with Active Roles out of the box. These templates allow the Active Roles administrator to delegate the correct level of administrative authority quickly and consistently.

This document provides a comprehensive list of Access Templates that install with Active Roles out of the box.

Access Templates

Access Templates

The predefined Access Templates are grouped by category into the following containers:

  • Active Directory  Templates to delegate Active Directory service management and Active Directory data management tasks.
  • Azure  Templates to delegate the configuration and management of Azure objects.
  • AD LDS (ADAM)  Templates to delegate data management tasks for Microsoft Active Directory Lightweight Directory Services (AD LDS) - an independent mode of Active Directory formerly known as Active Directory Application Mode (ADAM).
  • Computer Resources  Templates to delegate the management of computer resources, such as printers or network shares.
  • Configuration  Templates to delegate the management of Active Roles configuration objects, such as Policy Objects or Access Templates.
  • Exchange  Templates to delegate the management of Exchange recipients, such as mailbox-enabled users or mail-enabled groups.
  • Skype for Business Server  Templates to delegate the management of Skype for Business Server users or contacts. Require the Skype for Business Server user management policies to be applied, as described in the Skype for Business Server User Management Administration Guide for Active Roles.
  • Starling Templates to delegate required permission to perform Starling operations.

  • User Self-management  Templates to delegate self-management tasks to end-users (for instance, allowing end-users to view or change certain properties of their own accounts in the Web Interface).

These containers are located in the Configuration/Access Templates container. Some of these containers include the Advanced sub-container to hold Access Templates with very granular permission specifications.

The tables below group Access Template by category, and include the following information on each Access Template:

  • Access Template  Access Template name.
  • Description  Tasks that can be delegated with the Access Template.

Active Directory Service Management

Active Directory Service Management

You can use Access Templates in this category to delegate management tasks on the directory service. Access Templates are grouped by role for delegating service management as follows:

  • Forest Configuration Operators
  • Domain Configuration Operators
  • Service Admin Managers
  • Replication Management Admins
  • Replication Monitoring Operators

Engineered by Microsoft, these role recommendations take into account well-defined sets of logically related administrative tasks and the security sensitivity and impact of these tasks (see Best Practices for Delegating Active Directory Administration at http://technet.microsoft.com/en-us/library/cc773318.aspx).

The service management-related Access Templates are located in subfolders of the folder Configuration/Access Templates/Active Directory/Best Practices for Delegating Active Directory Administration, with each subfolder containing the Access Templates specific to a certain role.

To implement a given role, you must apply each of the role-specific Access Templates as specified in the description of the Template. For example, to implement the Forest Configuration Operators role for a certain group, you must select the group as a Trustee and then apply the Access Templates held in the Forest Configuration Operators subfolder.

IMPORTANT:

  • When applying service management-related Access Templates, you must select the Propagate permissions to Active Directory check box on the Permissions Propagation page in the Delegation of Control Wizard. This ensures the appropriate permission entries are added to Active Directory.
  • As Active Roles does not provide the ability to apply Access Templates to the Schema container, you should use native tools, such as ADSI Edit, to apply permissions to that container as appropriate. For details, see descriptions of the Access Templates later this section.

Forest Configuration Operators

Forest Configuration Operators

The following is the set of administrative tasks assigned to this role:

  • Create a child domain in an existing domain tree
  • Demote the last domain controller in a child domain
  • Demote the last domain controller in a tree-root domain
  • Raise forest functional level
  • Create all types of trusts for all domains
  • Delete all types of trusts for all domains
  • Change the direction of a trust
  • Enable/disable name suffix routing (for a given suffix) in a forest
  • Reset the trust passwords shared by a trust-pair
  • Force the removal of a trust
  • Enable/disable SID History on an outbound forest trust
  • Enable/disable SID filtering
  • Enable selective authentication on an outbound forest/external trust
  • Enable/disable placing of name suffix (top level names) information on a realm trust
  • Add/remove top-level names from a realm trust
  • Add/remove top-level name exclusions from a realm trust
  • Modify the transitivity of a realm-trust
  • Transfer the domain naming master role
  • Seize the domain naming master role
  • Manage all LDAP query policy related administrative tasks

To implement the Forest Configuration Operators role, Active Roles offers the following Access Templates, located in the Forest Configuration Operators Role subfolder of the Access Templates/Active Directory/Best Practices for Delegating Active Directory Administration folder.

Table 1: Forest Configuration Operators

Access Template

Description

Forest Configuration Operators - Change Domain Master Management

Permissions:

  • Change Domain Master, applied to All Classes
  • Write fSMORoleOwner, applied to All Classes

Apply this Access Template on:

  • <Forest-Root-Domain>/Configuration/Partitions

Forest Configuration Operators - Computer Object Creation

Permissions:

  • Create Computer Objects, applied to All Classes

Apply this Access Template on:

  • <Domain>/Domain Controllers (for every domain in the forest)

Forest Configuration Operators - Full Control for "Creator Owner"

Permissions:

  • Full Control, applied to All Classes

Select Creator Owner as Trustee, and apply this Access Template on:

  • <Forest-Root-Domain>/Configuration/Sites

Forest Configuration Operators - Full Control on Computer Object

Permissions:

  • Full Control, applied to Computer

Apply this Access Template on:

  • Computer object representing the server that is to be promoted to domain controller

Forest Configuration Operators - NTDS Domain Controller Settings Management

Permissions:

  • Write queryPolicyObject, applied to Domain Controller Settings

Apply this Access Template on:

  • <Forest-Root-Domain>/ Configuration/Sites/<Site>/Servers/<Domain Controller>/NTDS Settings

Forest Configuration Operators - NTDS Site Settings Management

Permissions:

  • Write queryPolicyObject, applied to Site Settings

Apply this Access Template on:

  • <Forest-Root-Domain>/Configuration/Sites/<Site>/NTDS Site Settings

Forest Configuration Operators - Query Policies Management

Permissions:

  • Create/Delete Query Policy Objects, applied to All Classes

Write All Properties, applied to Query Policy

  • Apply this Access Template on:

<Forest-Root-Domain>/ Configuration/Services/Windows NT/Directory Service/Query-Policies

Forest Configuration Operators - Replication Management

Permissions:

  • Manage Replication Topology, applied to All Classes
  • Replicating Directory Changes, applied to All Classes
  • Monitor Active Directory Replication, applied to DMD
  • Replicating Directory Changes All, applied to DMD

Apply this Access Template on:

  • <Forest-Root-Domain>/Configuration

The permissions specified by this Access Template must also be applied on:

  • <Forest-Root-Domain>/Configuration/Schema

You can do this using native AD management tools, such as the ADSI Edit tool.

Forest Configuration Operators - Server Object Creation

Permissions:

  • Create All Child Objects, applied to All Classes

Apply this Access Template on:

  • <Forest-Root-Domain>/ Configuration/Sites/<Site>/Servers

Forest Configuration Operators - Site Objects - Read All Properties

Permissions:

  • Read All Properties, applied to All Classes

Apply this Access Template on:

  • <Forest-Root-Domain>/Configuration/Sites

Forest Configuration Operators - Trust Relationship Management

Permissions:

  • Create/Delete Trusted Domain Objects, applied to All Classes

Write All Properties, applied to Trusted Domain

  • Apply this Access Template on:

<Domain>/System (for every domain in the forest)

自助服务工具
知识库
通知和警报
产品支持
下载软件
技术说明文件
用户论坛
视频教程
联系我们
获得许可 帮助
技术支持
查看全部
相关文档