Hi, I'm Rob Tovar, a Solutions Architect with Dell software. And in this short demo, I'll show you how to delegate Active Directory Access using active ActiveRoles Server, the simple, efficient tool for protecting critical Active Directory data, eliminating unregulated access to Active Directory resources and automating Active Directory account creation.
With ActiveRoles Server you can develop your administration and security design. You can define delegated administrators or trustees and administrative roles or access templates. This three-way relationship between trustees, access templates, and managed objects is central to the implementation of your role-based administration model.
So here's the scenario. I want to give Joe Admin full access to a single OU and all child objects of that OU. I don't want him to be able to see or access any other objects in the environment.
I'm currently logged in as the administrator. And as you can see, this account has some type of access to all objects in both domains.
This particular account has the rights to delegate access. I'm going to show you how you can easily delegate access to an OU and a managed unit. I'll start off with the OU. I'll be switching back and forth from ARS Server and A workstation to show the user experience.
I'm going to right click on the Chicago OU and select the Delegate Control option. I'll will then click on the Add button, start the wizard, and click on Next.
Here I'm going to specifically give access to Joe Admin. I will then select the access template that will give him the level of access that I'm interested. In this case, I will select the All Objects Full Control.
Here I have the option to select this directory object and/or all child objects of this directory object. I have the option to propagate permissions to Active Directory. I will bypass that for now and finish the wizard.
I will now go to the workstation where I have Joe Admin logged in. Since I've just delegated access to that specific Chicago OU, I'm going to click on the Refresh button, and we will see the Chicago OU up here.
Notice that I have access to the Chicago OU but nothing else. I can't even see other OUs that are contained within that domain. Since Joe Admin has full access to the Chicago OU, he can now perform his day-to-day duties, like create accounts, create groups, modify them, reset passwords, so forth and so on.
I will now explain what the managed unit is and how it can be used to delegate access. In Active Directory, without changing the directory structure, it's impossible to regroup objects and delegate control or enforce policy.
As a solution to this inflexible OU-based structure, Quest One ActiveRoles provides the facility to configure administrative views that meet any directory management need. The administrative views, or managed units as we like to call them, allow distributed administration to be independent of the OU hierarchy.
I want to start by creating a managed unit. In this scenario, I'm going to create a managed unit that contains all service accounts. In this environment, I have two domains. And I want to combine all service accounts into a single managed unit.
We'll start by right clicking on the managed unit node here and click on Managed Unit. We'll call this Service Accounts. I will then add the membership rule. Notice that we have several options as far as rules go. But I'm going to stick with the Include by Query.
Here I'll plug in the criteria that will get me a list of accounts I'm interested in. I know that my service accounts all start SRVC. So I'll select the same account name and plug in the condition here, which says "Starts with," and then plug in SRVC. I'm going to select this as a rule, hit Next, Next, Finish, and I am done with my managed unit. Now let's take a look.
Notice here that I have a list of service accounts. And specifically here, I have some service accounts that belong to the TEST.COM domain and some that belong to my other domain.
Also notice here that they are contained in different domains, different OUs. And based off of this managed unit, I can now delegate control to the managed unit, which will allow my group or user to manage all service accounts from a central location, without having to restructure or move objects.
So just as before, we'll give Joe Admin rights to this managed unit. And we'll give him full control once again.
Notice that there's a list of access templates out of the box with active roles. We can use one of the out of the box access templates or create our own custom template. In this case, I'll make it easy and just select the All Objects Full Control.
And, in this case, I'll leave it as is. I won't propagate permissions to Active Directory. Click Next, Finish, OK.
So let's go back to Joe Admin's workstation and look for our managed unit. As you can see here, the service accounts managed unit is now here. And Joe Admin can now manage this specific managing unit without having access to any other OU.
To learn more about ActiveRoles Server and download a free trial version of the product, visit quest.com/activeroles-server. Thanks for watching.