Delegation of Control – Group Policy Administration

Delegation of Control – Group Policy Administration


Overview


This article outlines a procedure to delegate Group Policy Administration without requiring use of any of the built In privileged security groups.  Although members of Group Policy Creator Owners, Enterprise Admins and Domain Admins have required permissions to create and delete any GPO that they have created, their scope of privileges is broader than desired.  Following the principle of least privileges, this procedure outlines steps to delegate Group Policy Administration in one or more trusted domains to newly created security groups.

Read More »

Delegation of Control of DNS Zone Administration

Delegation of Control of DNS Zone Administration

Overview

Members of the built-in DNSAdmins security principal in an Active Directory domain are granted following default permissions: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions.

In a large organization, there may be a need to delegate control of the DNS Zone Administration to regional or branch office network administration groups or to the SOC team, who may have to create honeypot DNS entries. This article outlines one possible way to configure the delegation.

For this illustration, the regional network administration team is assumed to be located in the APAC region and create their first Active Directory integrated DNS Zone called lazydog.com

Read More »