Recipe 17.9 Delegating Control of Managing an Application Partition

17.9.1 Problem

You want to delegate control over the management of an application partition.

17.9.2 Solution

17.9.2.1 Using a graphical user interface
  1. Open ADSI Edit.

  2. Connect to the Configuration naming context of the forest the application partition is in if it is not already present in the left pane.

  3. Expand the Configuration naming context and click on the Partitions container.

  4. In the right pane, right-click on the crossRef object that represents the application partition and select Properties.

  5. Click the Security tab.

  6. Click the Advanced button.

  7. Click the Add button.

  8. Use the object picker to find the user or group you want to delegate control to and click OK.

  9. Click the Properties tab.

  10. Under Allow, check the boxes beside Write msDS-NC-Replica-Locations, Write msDS-SDReferenceDomain, Write msDS-Replication-Notify-First-DSA-Delay, and Write msDS-Replication-Notify-Subsequent-DSA-Delay.

  11. Click OK.

17.9.2.2 Using a command-line interface
> dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-NC-Replica-Locations
> dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-SDReferenceDomain
> dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-Replication-Notify-[RETURN]
First-DSA-Delay
> dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-Replication-Notify-[RETURN]
Subsequent-DSA-Delay
17.9.2.3 Using VBScript
' This script delegates control over the four key attributes 
' of an app partition to the specified user or group.
' ------ SCRIPT CONFIGURATION ------
' Fully qualified DNS name of app partition
strAppPart = "<AppPartitionFQDN>"  ' e.g. apps.rallencorp.com
' User or group to delegate control to
strUser = "<UserOrGroup>"  ' e.g. joe@rallencorp.com or RALLENCORP\joe
' ------ END CONFIGURATION ---------

'############################
' Constants
'############################

' ADS_ACETYPE_ENUM
Const ADS_ACETYPE_ACCESS_ALLOWED        = &h0
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5

' ADS_FLAGTYPE_ENUM
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1

' ADS_RIGHTS_ENUM
Const ADS_RIGHT_DS_WRITE_PROP = &h20
Const ADS_RIGHT_DS_READ_PROP  = &h10

' schemaIDGUID values
Const REPLICA_LOCATIONS           = "{97de9615-b537-46bc-ac0f-10720f3909f3}"
Const SDREFERENCEDOMAIN           = "{4c51e316-f628-43a5-b06b-ffb695fcb4f3}"
Const NOTIFY_FIRST_DSA_DELAY      = "{85abd4f4-0a89-4e49-bdec-6f35bb2562ba}"
Const NOTIFY_SUBSEQUENT_DSA_DELAY = "{d63db385-dd92-4b52-b1d8-0d3ecc0e86b6}"

'############################
' Find App Partition
'############################

set objRootDSE = GetObject("LDAP://RootDSE")
strBase = "<LDAP://cn=Partitions," & _
          objRootDSE.Get("ConfigurationNamingContext") & ">;"
strFilter  = "(&(objectcategory=crossRef)(dnsRoot=" & _
             strAppPart & "));" 
strAttrs   = "cn,distinguishedName;"
strScope   = "onelevel"
set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
Set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)
if objRS.RecordCount <> 1 then
   WScript.Echo "Did not find a match for " & strAppPart
else
   objRS.MoveLast
   set objAppPart = GetObject("LDAP://" &  _
                    objRS.Fields("distinguishedName").Value )
end if

'############################
' Create ACL
'############################

set objSD = objAppPart.Get("ntSecurityDescriptor")
set objDACL = objSD.DiscretionaryAcl

' Read/Write Property: msDS-NC-Replica-Locations
set objACE1 = CreateObject("AccessControlEntry")
objACE1.Trustee    = strUser
objACE1.AccessMask = ADS_RIGHT_DS_WRITE_PROP Or ADS_RIGHT_DS_READ_PROP
objACE1.AceFlags   = 0
objACE1.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE1.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE1.ObjectType = REPLICA_LOCATIONS  ' 

' Read/Write Property: msDS-SDReferenceDomain
set objACE2 = CreateObject("AccessControlEntry")
objACE2.Trustee    = strUser
objACE2.AccessMask = ADS_RIGHT_DS_WRITE_PROP Or ADS_RIGHT_DS_READ_PROP
objACE2.AceFlags   = 0
objACE2.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE2.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE2.ObjectType = SDREFERENCEDOMAIN

' Read/Write Property: msDS-Replication-Notify-First-DSA-Delay
set objACE3 = CreateObject("AccessControlEntry")
objACE3.Trustee    = strUser
objACE3.AccessMask = ADS_RIGHT_DS_WRITE_PROP Or ADS_RIGHT_DS_READ_PROP
objACE3.AceFlags   = 0
objACE3.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE3.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE3.ObjectType = NOTIFY_FIRST_DSA_DELAY

' Read/Write Property: msDS-Replication-Notify-Subsequent-DSA-Delay
set objACE4 = CreateObject("AccessControlEntry")
objACE4.Trustee    = strUser
objACE4.AccessMask = ADS_RIGHT_DS_WRITE_PROP Or ADS_RIGHT_DS_READ_PROP
objACE4.AceFlags   = 0
objACE4.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE4.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE4.ObjectType = NOTIFY_SUBSEQUENT_DSA_DELAY

objDACL.AddAce objACE1
objDACL.AddAce objACE2
objDACL.AddAce objACE3
objDACL.AddAce objACE4

'############################
' Set ACL
'############################
objSD.DiscretionaryAcl = objDACL
objAppPart.Put "ntSecurityDescriptor", objSD
objAppPart.SetInfo
WScript.Echo "Delegated control of " & strAppPart & " to " & strUser

17.9.3 Discussion

If you want to delegate control of management of application partitions, you must grant control over four key attributes. Here is a description of each attribute and what can be accomplished by having control over it:

msDS-NC-Replica-Locations

By having write access to this attribute, a user can add replica servers for the application partition. See Recipe 17.3 for more information.

msDS-SDReferenceDomain

By having write access to this attribute, a user can define the default security descriptor domain for the application partition. See Recipe 17.8 for more information.

msDS-Replication-Notify-First-DSA-Delay

See Recipe 17.7 for more information.

msDS-Replication-Notify-Subsequent-DSA-Delay

See Recipe 17.7 for more information.

If you want to delegate control over managing objects within the application partition, you need to follow the same procedures you would when delegating control over objects in a domain naming context. See Recipe 14.5 for more information on delegating control.

17.9.4 See Also

Recipe 14.5 for delegating control, Recipe 17.3 for more on adding and removing replica servers, Recipe 17.7 for more on the replication delay attributes, and Recipe 17.8 for more on the default security descriptor domain



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List