Home

HOW-TO: Delegate permissions to a DFS namespace

In any disparate environment there is a need to have local ‘administrators' to accomplish specific roles. These local administrators are not administrators in the true sense, rather a specific user or users with some IT knowledge who carry out local tasks for the central IT department. Therefore, the need to delegate functions and tasks becomes very necessary. Best practices dictate that any given user should perform that user's role using the least amount of privileges as possible. It is not feasible to give a local user administrative control over an entire server if they only need to administer a specific role. Therefore this tip explains how to delegate the administration of a DFS namespace to a user or group of users, and provides examples of how to achieve this using both the GUI and command line.

Security is a major facet of today's IT management. As more and more people are becoming ‘computer literate', and more and more systems are becoming critical to the business, we must protect these systems as best we can. A well managed, secure IT infrastructure is not just difficult to hack from the outside. It must be secure from the inside as well, if for no other reason that to protect against accidental damage. Therefore we must move to a central structure where every user and administrator is performing their specific functions using delegated roles as opposed to many administrators running with full control and many rights. To achieve this, a very thorough delegation model is necessary.

This tip is intended to aid an administrator in achieving the ultimate end goal - three or fewer domain admins!

Domain-based DFS namespaces store their configuration data in Active Directory (global information) and the registry (local information). A domain-based namespace can be delegated by setting permissions on the necessary objects for that namespace in the domain naming context (NC).

Note. The recommended practice for delegating administration is to grant the necessary permissions to a domain local group, and then add the users and/ or global groups into this group.

The naming of the group will depend on the naming standards in use in your infrastructure. For the purpose of this article we will use the simplistic approach of a generic group name for the individual namespace and an administrative group for all namespaces. In a production environment, you would be likely to use different groups for each individual namespace, but would also utilise a higher-privileged group for the overall administration of the namespaces in the domain. The DFS namespace information is located under CN=DFS-Configuration, CN=System, DC=domain-name, DC=tld. The namespace information is stored under a container with the name of the namespace, for example, CN=Public, CN=DFS-Configuration, CN=System, DC=domain-name, DC=com

would be the DN for a DFS namespace called public. You delegate permissions to administer an individual namespace by granting full control permissions to the namespace in question. You delegate permissions to administer all namespaces by granting full control to the CN=DFS-Configuration container. You can delegate permissions to create new namespaces, but not administer existing ones, by simply granting the "create " permission on the CN=DFS-Configuration container.

There are several ways to accomplish this delegation. You can use Active Directory Users & Computers (DSA.MSC), ADSIEdit.msc, LDP, DSACLS, ADSI Script, etc. This tip will use DSA.MSC and DSACLS.EXE.

Note. In order to achieve the most granular set of permissions possible, ADSIEdit.msc should be favoured over DSA.MSC. However this tip is focusing on the full control permission, therefore either is fine.

Using the GUI

Granting a group full control over all DFS namespaces

Load Active Directory Users & Computers either by navigating to the shortcut in the Start menu, or by typing DSA.MSC at the run command or command line.
In DSA.MSC, select Advanced features from the View menu.
Expand System and right-click on the DFS-Configuration container and choose properties.
In the resultant window, choose the security tab and add the domain local group that you have created to administer all domain-based DFS namespaces.
Select the full control permission and choose OK.

Granting a group full control over a specific DFS namespace

Load Active Directory Users & Computers either by navigating to the shortcut in the Start menu, or by typing DSA.MSC at the run command or command line.
In DSA.MSC, select Advanced features from the View menu.
Expand the System and DFS-Configuration containers, right-click on the specific namespace in question and choose properties.
In the resultant window, choose the security tab and click Advanced.
Add the domain local group that you have created to administer all domain-based DFS namespaces.
Select the full control permission and choose OK, and then OK again.

Figure 1

delegating full control permissions to a specific fault-tolerant DFS root using Active Directory Users & Computers

Granting a group the permission to create a new namespace or namespaces

Load ADSIEdit.msc by typing ADSIEdit.MSC at the run command or command line.
Expand the domain NC and then CN=System and right-click on the CN=DFS-Configuration container and choose properties.
In the resultant window, choose the security tab and then click Advanced.
In the advanced permissions editor choose add and add the domain local group that you have created to administer all domain-based DFS namespaces.
Select the This object only from the Apply onto drop-down list and then select the permission Create fTDfs Objects and choose OK and OK again.

Figure 2:

Using the command line

Permissions can be easily set using the command line tool DSACLS.EXE. The following command, which is only one line, will grant full control permission to all DFS namespaces in the domain test-lab.com.

Note. DSACLS.EXE is a Support Tool. For more information on the support tools, please refer to the following msresource.net article:

The Windows Support Tools and Resource Kit Tools

C:\>dsacls cn=dfs-configuration,cn=system,dc=asp-lab,dc=co,dc=uk /G asp-lab\dfs-admins:GA;;

Figure 3: delegating full control permissions to the dfsConfiguration container using DSACLS.EXE

C:\>dsacls cn=dfs-configuration,cn=system,dc=asp-lab,dc=co,dc=uk /G asp-lab\dfs-admins:GA;;
 Access list:
 Effective Permissions on this object are:
 Allow ASP-LAB\Domain Admins                       SPECIAL ACCESS
 READ PERMISSONS
 WRITE PERMISSIONS
 CHANGE OWNERSHIP
 CREATE CHILD
 DELETE CHILD
 LIST CONTENTS
 WRITE SELF
 WRITE PROPERTY
 READ PROPERTY
 LIST OBJECT
 CONTROL ACCESS
 Allow ASP-LAB\DFS-Admins                          FULL CONTROL
 Allow NT AUTHORITY\Authenticated Users            SPECIAL ACCESS
 READ PERMISSONS
 LIST CONTENTS
 READ PROPERTY
 LIST OBJECT
 Allow NT AUTHORITY\SYSTEM                         FULL CONTROL
 Allow BUILTIN\Administrators                      SPECIAL ACCESS   
 DELETE
 READ PERMISSONS
 WRITE PERMISSIONS
 CHANGE OWNERSHIP
 CREATE CHILD
 LIST CONTENTS
 WRITE SELF
 WRITE PROPERTY
 READ PROPERTY
 LIST OBJECT
 CONTROL ACCESS
 Allow ASP-LAB\Enterprise Admins                   FULL CONTROL   
 Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS   
 LIST CONTENTS Permissions inherited to subobjects are:
 Inherited to all subobjects
 Allow BUILTIN\Administrators                      SPECIAL ACCESS   
 DELETE
 READ PERMISSONS
 WRITE PERMISSIONS
 CHANGE OWNERSHIP
 CREATE CHILD
 LIST CONTENTS
 WRITE SELF
 WRITE PROPERTY
 READ PROPERTY
 LIST OBJECT
 CONTROL ACCESS
 Allow ASP-LAB\Enterprise Admins                   FULL CONTROL   
 Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS   
 LIST CONTENTS Inherited to computer
 Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS  SPECIAL ACCESS for tokenGroups   
 READ PROPERTY
 Inherited to group
 Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS  SPECIAL ACCESS for tokenGroups   
 READ PROPERTY
 Inherited to user
 Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS  SPECIAL ACCESS for tokenGroups   
 READ PROPERTY
 Inherited to inetOrgPerson
 Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS   
 READ PERMISSONS
 LIST CONTENTS
 READ PROPERTY
 LIST OBJECT
 Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Logon Information   
 READ PROPERTY
 Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Account Restrictions   
 READ PROPERTY
 Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Group Membership   
 READ PROPERTY
 Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for General Information   
 READ PROPERTY
 Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Remote Access Information   
 READ PROPERTY
 Inherited to user
 Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS   
 READ PERMISSONS
 LIST CONTENTS
 READ PROPERTY
 LIST OBJECT
 Inherited to group
 Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS   
 READ PERMISSONS
 LIST CONTENTS
 READ PROPERTY
 LIST OBJECT
 Inherited to user
 Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Logon Information   
 READ PROPERTY
 Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Account Restrictions   
 READ PROPERTY
 Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Group Membership   
 READ PROPERTY
 Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for General Information   
 READ PROPERTY
 Allow BUILTIN\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Remote Access Information   
 READ PROPERTY
 The command completed successfully C:\>

Document information

Author: Paul Williams
Written: 29-10-2005
Version: 2.0
Last updated: 02-08-2007
Last updated by: Paul Williams

< Prev		Next >