Questions[delegation](server)

We have a tool being developed that will keep specific attributes of Active Directory user objects up to date with an authoritative source of employee information truth elsewhere, so that when someone's phone number or manager or location changes, Active Directory is automatically updated.

For normal users, delegation of manipulating to those properties is simple to handle using the delegation tools, but protected users, who have the adminSDHolder ACL applied, it's more difficult.

When adding an ACE to the adminSDHolder ACL using the UI, you're only able to grant access to all properties (which we don't want for security reasons), or properties that exist on the adminSDHolder object itself - not user properties like department.

How do you grant access to specific properties of user objects under the protection of adminSDHolder?

I would like to grant Read-Access to event logs on all my domain controllers, ideally at a domain level using GPO. I would like members of a group to be able to view the Application Log, the System Log, and several logs in "Application and Services logs" such as "Directory Service" and "File Replication Service." What would be the best strategy of going about this?

Please note that most of my Domain Controllers are 2008 R2

We have a service account that is a member of the domain admins group. This is something that makes me exceptionally uncomfortable.

I am looking to change this as soon as possible but am fairly new to AD permissions. The main use of the service account is for LDAP queries so I have assigned the account Domain User membership. The trouble is that it also requires the ability to reset a password on behalf of a user. I was looking in to Delegate Control but can only see a "Reset User Passwords and Force Change at next Logon". What is needed is for the reset to occur but the force change not to be set. I tried to specify a role manually but am somewhat out of my depth with the sheer number of different permissions.

Has anyone got any guidance on what permissions are required to delegate control of password resets to another user?

Problem: A user connects to a service on a machine, such as an IIS web site or a SQL Server database. The site or the database need to gain access to network resources such as file shares (the most common) or a database on a different server. Permission is denied.

This is because the user the service is running under doesn't have network permissions in the first place, or if it does, it doesn't have rights to access the remote resource.

I keep running into this problem over and over again and am tired of not having a really solid way of handling it.

Here are some workarounds I'm aware of:

• Run IIS as a custom-created domain user who is granted high permissions

  If permissions are granted one file share at a time, then every time I want to read from a new share, I would have to ask a network admin to add it for me. Eventually, with many web sites reading from many shares, it is going to get really complicated. If permissions are just opened up wide for the user to access any file shares in our domain, then this seems like an unnecessary security surface area to present.

  This also applies to all the sites running on IIS, rather than just the selected site or virtual directory that needs the access, a further surface area problem.

• Do the same thing, but use an application pool or individually set credentials

  One doesn't have to run the entire IIS instance as a particular user: each site, application, and folder can be set to run under a particular application pool or manually-chosen set of credentials. This solves some small part of the surface area problem, but doesn't really solve the other issues about managing permission granularity and doing so across many resources.

• Still use the IUSR account but give it network permissions and set up the same user name on the remote resource (not a domain user, a local user)

  This also has its problems. For example, there's a file share I am using that I have full rights to for sharing, but I can't log in to the machine. So I have to find the right admin and ask him to do it for me. Any time something has to change, it's another request to an admin.

• Allow IIS users to connect as anonymous, but set the account used for anonymous access to a high-privilege one

  This is even worse than giving the IIS IUSR full privileges, because it means my web site can't use any kind of security in the first place.

• Connect using Kerberos, then delegate

  This sounds good in principle but has all sorts of problems. First of all, if you're using virtual web sites where the domain name you connect to the site with is not the base machine name (as we do frequently), then you have to set up a Service Principal Name on the webserver using Microsoft's SetSPN utility. It's complicated and apparently prone to errors. Also, you have to ask your network/domain admin to change security policy for both the web server and the domain account so they are "trusted for delegation." If you don't get everything perfectly right, suddenly your intended Kerberos authentication is NTLM instead, and you can only impersonate rather than delegate, and thus no reaching out over the network as the user. Also, this method can be problematic because sometimes you need the web site or database to have permissions that the connecting user doesn't have.

• Create a service or COM+ application that fetches the resource for the web site

  Services and COM+ packages are run with their own set of credentials. Running as a high-privilege user is okay since they can do their own security and deny requests that are not legitimate, putting control in the hands of the application developer instead of the network admin. Problems: I am using a COM+ package that does exactly this on Windows Server 2000 to deliver highly sensitive images to a secured web application. I tried moving the web site to Windows Server 2003 and was suddenly denied permission to instantiate the COM+ object, very likely registry permissions. I trolled around quite a bit and did not solve the problem, partly because I was reluctant to give the IUSR account full registry permissions. That seems like the same bad practice as just running IIS as a high-privilege user.

  Note: This is actually really simple. In a programming language of your choice, you create a class with a function that returns an instance of the object you want (an ADODB.Connection, for example), and build a dll, which you register as a COM+ object. In your web server-side code, you create an instance of the class and use the function, and since it is running under a different security context, calls to network resources work.

• Map drive letters to shares

  This could theoretically work, but in my mind it's not really a good long-term strategy. Even though mappings can be created with specific credentials, and this can be done by others than a network admin, this also is going to mean that there are either way too many shared drives (small granularity) or too much permission is granted to entire file servers (large granularity). Also, I haven't figured out how to map a drive so that the IUSR gets the drives. Mapping a drive is for the current user, I don't know the IUSR account password to log in as it and create the mappings.

• Move the resources local to the web server/database

  There are times when I've done this, especially with Access databases. Does the database have to live out on the file share? Sometimes, it was just easiest to move the database to the web server or to the SQL database server (so the linked server to it would work). But I don't think this is a great all-around solution, either. And it won't work when the resource is a service rather than a file.

• Move the service to the final web server/database

  I suppose I could run a web server on my SQL Server database, so the web site can connect to it using impersonation and make me happy. But do we really want random extra web servers on our database servers just so this is possible? No.

• Virtual directories in IIS

  I know that virtual directories can help make remote resources look as though they are local, and this supports using custom credentials for each virtual directory. I haven't been able to come up with, yet, how this would solve the problem for system calls. Users could reach file shares directly, but this won't help, say, classic ASP code access resources. I could use a URL instead of a file path to read remote data files in a web page, but this isn't going to help me make a connection to an Access database, a SQL server database, or any other resource that uses a connection library rather than being able to just read all the bytes and work with them.

I wish there was some kind of "service tunnel" that I could create. Think about how a VPN makes remote resources look like they are local. With a richer aliasing mechanism, perhaps code-based, why couldn't even database connections occur under a defined security context? Why not a special Windows component that lets you specify, per user, what resources are available and what alternate credentials are used for the connection? File shares, databases, web sites, you name it. I guess I'm almost talking about a specialized local proxy server.

Anyway, so there's my list. I may update it if I think of more. Does anyone have any ideas for me?

My current problem today is, yet again, I need a web site to connect to an Access database on a file share. Here we go again...

All my nerdly life, I've dealt with this limitation of Windows Domains

1. Login - console
2. Integrated auth to something (usually web app)
3. My credentials can't move to another server (e.g. database or file system). They have to trust machine 2.

Is there a configuration that changes this behavior? In many many cases, 3 hops would be amazingly convenient.

What is the specific reason that credentials should not delegate twice (client->server->server)?