Useful Links:
Administrative Authority Structure and Policies
for the Active Directory at Yale
This page documents the different layers of administrative authority that will exist in the active directory structure at Yale, which groups or individuals will hold that authority, and the scope of the authority of each group.
This is an important factor to document because with the more tightly integrated structure that comes with the AD there are places where administrative authority will overlap between areas and it should be clear to all participants not only where those overlaps are but which individuals are able to take (or override) administrative actions of others.
Any comments or suggestions with respect to policy items listed here can be directed to the Yale Active Directory Advisory Committee which will be in place to deal with such policy questions at an official level.
Sources of Administrative Authority in the Active Directory
Administrative authority over an object or group of objects comes from several sources:
- Local administrators, such as the
holder of the default administration account for a system, have authority
over a specific machine and its local users.
- Individuals with delegated authority in
an OU have administrative authority consisting of the administrative
powers that were delegated to them. Their authority extends to all
of the objects that are part of the OU including both users and systems.
- Domain Administrators have authority
over all objects within a domain, including all OU's within the
domain.
- Enterprise Administrators have
administrative authority on all objects in the entire active directory
forest. This capability is provided for when forest-wide changes are
needed (such as upgrades to the AD) or an administrative error must be
reversed.
The "Domain Admins" and "Enterprise Admins" groups should never be removed from ACL's because doing so causes problems when structural changes (such as upgrades) are performed on the Active Directory. If you have security concerns about this please contact the Yale AD Advisory group.
Domain Administrators
Because in this model there is only one domain that contains almost all objects in the AD, administrators in that domain have a much wider reach of authority than they have had in the past.
For example, in the current system a Domain Admin in the central Windows NT domain could control all user accounts in the domain and could manage trust relationships with the resource domains but would have no inherent authority over systems in any domain other than the YALE domain.
In the new model, a domain admin in the yu.yale.edu domain would, by default, have authority over all objects in the domain including those in OU's. So, for example, the Astrology OU would recognize not only those individuals to whom Administrative access was given to the OU, but to the domain admins as well.
As part of the migration from NT to the AD, the number of domain admins was cut to the bare minimum necessary.
Enterprise Administrators
Clearly, this powerful group requires special treatment. Membership in this group is limited to very few individuals -- enough to ensure that an enterprise admin will always be available if needed in an emergency while keeping the group as small as possible.
Access Limitations for High-Level Administrators
A recommendation has been made by the Information Security Officer that anyone with significant administrative authority in the AD require a supplemental authentication device such as a hardware token or smart card in order to log in. Windows 2000 has built-in support for requiring a hardware token such as a smart card or cryptographic device in order for specified users to log in at a system's console. This would limit the usefulness of stealing a password from a powerful user account.
This will definitely be in place on the systems that make up the empty root domain and may be implemented for domain and OU administrators as well.