Safely Delegating Password Reset Capability in Active Directory

I have been preaching for years about how powerful Active Directory is in the ability to delegate control over certain tasks and certain objects in Active Directory. One of the most obvious delegations is giving a one group of users the ability to reset passwords for a different group of users. There are a few issues using the Microsoft solution, and those issues can cause insecure settings, hard-to-report delegations, and access to AD that is hard to find and remove.

Just to see the Microsoft solution, let’s look at an example. Say you had a couple of technicians that you want to be responsible for resetting HR employees’ passwords. So you create a group called HR_PASSWORD_RESET and add the technicians to this group. You would then delegate control to this group over the HR organizational unit. You would use the Delegate Control Wizard that is built into Active Directory Users and Computers, shown in Figure 1.Figure 1. Delegate Control Wizard to delegate resetting passwords.

This seems like a fairly straight forward option when using Active Directory Users and Computers, and it is at first. The tricky part is trying to determine what delegations have been made and over which components of Active Directory. There is no GUI option to view the delegations! There are no built-in reporting tools specifically for viewing delegations! So what are your options? First, you could use the Security tab located on the Properties page for the Active Directory node (domain or OU) for which the delegation is made. Second, you could use a tool like DSACLS, which will show you the permissions (similar to the Security tab) in a text file. Oh… almost forgot… the Delegation Control Wizard is a configure only tool, it can not remove delegations!

So why is this an issue? Imagine you are a normal-sized company. You might have 5,000 employees; 12,000 groups; 6,000 computers; and 500 organization units. How long would it take for you to audit the delegations that have been made on each of the Active Directory nodes? Trust me, I have done it for over 1,000 organizational units and it takes quite some time. If you miss a delegation, it means that a group of users have control over Active Directory objects and you are not aware of it!

As an alternative to creating a security nightmare for your Active Directory enterprise, ManageEngine has a tool, ADManager Plus, which is ideal for delegations over objects in Active Directory. ADManager Plus is ideal for many reasons:

  1. Delegations are easily customized to define exactly what you want to give control over

  2. Delegations can easily be audited using the ADManager Plus GUI

  3. Delegations can be configured and removed easily

  4. Delegations are done 100-percent through the ADManager Plus engine, so no permissions are modified on the actual Active Directory objects. This prohibits a user from bypassing ADManager Plus to access the objects through another tool.

Let’s take our initial example and put that into practice using ADManager Plus. ADManager Plus uses Help Desk Roles instead of groups to organize the delegations. So, you will create a new Help Desk Role that will be for changing passwords for the HR OU. In order to do this, you will need to pick the correct delegation, shown in Figure 2, which is as easy as selecting the check boxes for the role.Figure 2. Help Desk Roles are assigned specific delegations over AD.

You can clearly see that ADManager Plus has many more delegations than the Active Directory Users and Computers Delegation Control Wizard.

Next, you only need to associate the people (technicians) with the delegations (Help Desk Roles). It is that simple, and the results will be similar to those shown in Figure 3.Figure 3. Technicians are assigned Help Desk Roles.

You can see that Figure 3 clearly shows you which technicians have which roles, so it is very easy to audit, review, and verify the delegations.

One final, key point regarding ADManager Plus. The tool provides an excellent solution for “proxying” the delegations. The actual access control lists for the delegations are not modified. This means that if the user granted the delegations in ADManager Plus tries to use the Active Directory Users and Computers (or any other LDAP tool), then she will fail to manage the objects using this avenue. This control is managed during the creation of the technician and is a simple check box, shown in Figure 4, indicating that the technician will be impersonated and the ACL will not be changed.Figure 4. ADManager Plus impersonates delegations for better security.

Using ADManager Plus is a much cleaner, easier, more robust, and auditable solution than trying to use the ADUC and Delegation Control Wizard. With this solution, you are able to negate many of the negative issues related to using the Microsoft solution. Reporting, ensuring the correct settings are in place, and being able to quickly remove delegations over AD are just a few of the benefits using ADManager Plus.

You Can Learn More About the ManageEngine Product Line By Going to www.ManageEngine.ca

The original article/video can be found at Safely Delegating Password Reset Capability in Active Directory

About the Author: Shannon Lewis

Leave a Reply Cancel reply