DFSDsc icon indicating copy to clipboard operation
DFSDsc copied to clipboard
verified publisher icon dsccommunity

DFSNamespaceRoot: Configure Delegation

Open randomnote1 opened this issue 5 years ago • 3 comments

Details of the scenario you tried and the problem that is occurring

I need to be able to configure the users in the Delegation tab. I think this is the most appropriate resource for this feature to be added.

Suggested solution to the issue

Use the Set-DfsnRoot cmdlet with the -GrantAdminAccounts parameter.

Delegate management permissions for DFS Namespaces

Version of the DSC module that was used ('dev' if using current dev branch)

4.4.0.0

randomnote1 avatar Jun 10 '20 15:06 randomnote1

Hi @randomnote1 - this seems like a good feature to add.

This feature is non-trivial however, because the Get-DfsnRoot cmdlet doesn't return the list of AD groups granted Admin credentials. So determining if the resource is in state would be difficult or have a significant performance implication (e.g. scanning a large AD to determine if permissions were set on which accounts would be expensive).

If the above problem could be solved then we could add the following parameters:

    [Write, Description("Specifies an array of accounts to grant admin permissions on.")] String GrantAdminAccounts[];
    [Write, Description("Specifies an array of accounts to revoke admin permissions on.")] String RevokeAdminAccounts[];

PlagueHO avatar Sep 28 '20 08:09 PlagueHO

If anyone's trying to do this, it should be possible to do this using the ActiveDirectoryDsc module's ADObjectPermissionEntry resource

https://github.com/dsccommunity/ActiveDirectoryDsc/wiki/ADObjectPermissionEntry

To modify Delegate Management Permissions for all DFS Namespaces, you need to set permissions on

CN=DFS-Configuration,CN=System=DC=domain,DC=goes,DC=here

On a single namespace:

CN=NamespaceName,CN=DFS-Configuration,CN=System=DC=domain,DC=goes,DC=here

For all DFS Replication Groups:

CN=DFSR-GlobalSettings,CN=System=DC=domain,DC=goes,DC=here

For a single replication group:

CN=ReplicationGroupName,CN=DFSR-GlobalSettings,CN=System=DC=domain,DC=goes,DC=here

I hope this helps anyone else who wants to achieve this!

https://mskb.pkisolutions.com/kb/258992

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/delegating-dfs-replication

Borgquite avatar Feb 20 '24 12:02 Borgquite

For example, the following ActiveDirectoryDsc configuration will replicate the 'Delegate Management Permissions...' options within the DFS Management Console for both the Namespaces and Replication nodes:

# Create groups for Delegate Administration permissions for DFS Namespaces and DFS Replication Groups
ADGroup "DFSN Admins"
{
    GroupName = "DFSN Admins"
    GroupScope = "DomainLocal"
    Path = "CN=Users,DC=contoso,DC=com"
    Description = "Members of this group can create new DFS Namespaces within the domain"
    Ensure = "Present"
}
ADObjectPermissionEntry "DFSN Admins"
{
    Path = "CN=Dfs-Configuration,CN=System,DC=contoso,DC=com"
    IdentityReference = "CONTOSO\DFSN Admins"
    ActiveDirectoryRights = "CreateChild" # Create all child objects
    AccessControlType = "Allow"
    ObjectType = "00000000-0000-0000-0000-000000000000" # All object types
    ActiveDirectorySecurityInheritance = "None"
    InheritedObjectType = "00000000-0000-0000-0000-000000000000" # This object only
    Ensure = "Present"
    DependsOn = 
    @(
        "[ADGroup]DFSN Admins"
    )
}
ADGroup "DFSR Admins"
{
    GroupName = "DFSR Admins"
    GroupScope = "DomainLocal"
    Path = "CN=Users,DC=contoso,DC=com"
    Description = "Members of this group can create new DFS Replication Groups within the domain"
    Ensure = "Present"
}
ADObjectPermissionEntry "DFSR Admins"
{
    Path = "CN=DFSR-GlobalSettings,CN=System,DC=contoso,DC=com"
    IdentityReference = "CONTOSO\DFSR Admins"
    ActiveDirectoryRights = "CreateChild" # Create all child objects
    AccessControlType = "Allow"
    ObjectType = "00000000-0000-0000-0000-000000000000" # All object types
    ActiveDirectorySecurityInheritance = "None"
    InheritedObjectType = "00000000-0000-0000-0000-000000000000" # This object only
    Ensure = "Present"
    DependsOn = 
    @(
        "[ADGroup]DFSR Admins"
    )
}

https://regularsysadmin.wordpress.com/2015/02/01/delegating-dfs-to-non-domain-admins/ https://www.itprotoday.com/windows-78/jsi-tip-6319-how-do-i-delegate-ability-create-dfs-shares-windows-2000-server https://mskb.pkisolutions.com/kb/258992 https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/delegating-dfs-replication https://learn.microsoft.com/en-us/windows-server/storage/dfs-namespaces/delegate-management-permissions-for-dfs-namespaces

Borgquite avatar Feb 26 '24 17:02 Borgquite