Establishing Delegate Access
Once a delegation model has been selected, the next step is to decide how to delegate access. Depending on the server, installed roles, and applications installed, there are different ways to delegate access. In some cases, applications or roles include an interface where elevated access is granted. In most other situations, local built-in groups can be used to grant different access to different delegates depending on their function.For example, suppose you have delegated backup duties to a small team of junior administrators. To grant or delegate the necessary permissions, you might decide to nest, rather than add, the junior admins’ domain accounts to the built-in local backup operators group on one or more servers. To help streamline this in larger organizations, you might consider additional layers of group nesting along with group policy to push down the elevated access to a group of servers. This method provides a more scalable solution as expanding delegate access is as simple as adding more junior admin accounts to a domain group. The domain group is then automatically added to the backup operators local group on the servers. Active Directory will be discussed in more detail later. Refer to Table 2-4 for a listing of built-in local groups and their functions.
Table 2-4 Built-in Local Groups
| Group | Function |
| Access Control Assistance Operators | Remotely query permissions or authentication attributes for resources on the computer. |
| Administrators | Grants full access and control to the computer. Allows members to change and manage permissions and access to the computer. |
| Backup Operators | Ability to back up and restore files regardless of the permissions assigned to the folder or files. These users are unable to modify and manage permissions. |
| Certificate Services DCOM Access | Members are allowed to connect to Certificate Authorities. |
| Cryptographic Operators | Perform Cryptographic operations. |
| Distributed COM Users | Start, activate, and use DCOM objects. |
| Event Log Readers | Ability to read event logs on the computer. |
| Guests | Users are granted virtually no access to the system other than to use the Internet and basic applications. They are granted temporary profiles upon logon. |
| Hyper-V Administrators | Grants full control over Hyper-V. |
| IIS Users | Used by IIS Web Services. |
| Network Configuration Operators | Ability to make changes to TCP/IP Settings and release and renew IP addresses. |
| Performance Log Users | Manage and schedule performance counters logs and alerts on the computer. |
| Performance Monitor Users | Ability to monitor performance counters and read performance counter data. |
| Power Users | Typically used to provide elevated privileges for legacy applications. |
| Print Operators | Administer printers and print jobs on the server. |
| Remote Desktop Users | Members of this group are granted permission to log onto the computer remotely. |
| Replicator | Manages domain replication functions. |
| Users | Limited access to log on to the computer. Allows users to run applications, use local devices and peripherals but not make administrative changes. |
| WinRMRemoteWMIUsers | Ability to access WMI resources. |
No comments:
Post a Comment