Table of Contents

Samba Active Directory Domain Controller Delegation

Introduction

Active Directory allows you to delegate permission for administration tasks to users and/or groups. This is an important feature that allows you to prevent working with domain admin permissions the whole time or giving the domain admin password to all in your IT department.

Possible fields of application:

Delegations can be configured on the whole domain or on specific OUs.

Samba versions supporting delegations


You should at least run 4.0.0 final (older versions haven't been tested)!

Known issues/limitations


Performance and maintanance of delegations


Delegations are simply said ACLs on directory attributes and containers. If you would delegate permissions for several users accounts, this would increase the number of ACLs, what could cause performance impacts somewhen. Also if the delegated permissions should be revoked for an account, you have to remove its ACLs, what brings unneccessary administration work.

That's why it is recommented, that you delegate permissions only to groups and not to accounts. If you want to grant/revoke permissions for an account, you only have to change the group membership.

Delegating 'Joining Computers to the domain'-permissions


Add delegation


In the following we'll explain how you delegate permission for joining computers to the domain to members of a non-domain-admin-group. This delegation should only be set on the default container for machine accounts (CN=Computers).

Side note: By default, the 'authenticated users' group can join up to 10 workstations to the domain. This can be a security risk and you should think about deactivating this!

After you finished these steps, members of the 'supporter' group will be able to join computers to the domain.

Revoke delegation


If you want to revoke the permission for the 'supporter' group again, follow these steps:

Delegating 'Add/change/delete accounts/groups'-permissions


Usually you don't want to be logged in the whole day as Domain Administrator. But to do changes on user accounts and groups, you need special permissions in the AD. Per default, all members of the BuiltIn group “Account Operators” can do this job. So simply add the user/s who should be able do administrate accounts and groups to this group.

But the “Account Operators” group doesn't have permissions, that are required for doing all changes on the “UNIX attributes” tab. To archive this, follow these steps: