Last week I came across a company where its IT personnel is divided into teams based on specific services that the IT department offers the customers. Usually the Distributed File System (DFS) is managed by the person or the group of people who manages the Active Directory. However, in this scenario there is a different team to manage DFS, who is not responsible for managing the Active Directory.
At the time I started working with this, the practice has been for years is that, if a delegation cannot be easily done using the delegation wizard, a person was granted the Domain Admin privileges (or at least that was how it seemed). This needed to be changed!
When you open the DFS Management MMC console, the delegation is pretty straight forward. You can delegate separately for Namespaces and Replication groups using the Delegate Management Permission… option in the Actions pane.
This seemingly simple task becomes complicated when you have many replication groups as the delegations should be set for each group individually. In addition to this painstaking task, the delegations will need to be done for each new namespace and replication group individually as the delegations are not inherited. For a lazy guy like me, this was unacceptable! 🙂 It was time to dig deeper to find the gems!!
The DFS configuration metadata is stored in the containers Dfs-Configuration and DFSR-GlobalSettings in Active Directory. These containers can be found under the container System. The container Dfs-Configuration holds the DFS Namespace metadata in fTDfs objects and the container DFSR-GlobalSettings holds the DFS Replication metadata in msDFSR-ReplicationGroup objects.
At this point you can be creative on how you want to grant privileges. For my task I just needed to delegate the full control of DFS to the DFS team. So in the security settings of these two containers I added an ACL to allow Full Control for This object and all descendant objects to a new security group named “DFS Admins”. That’s all there is to it! Now when I go to the Delegation tab of a replication group, I can see the DFS Admins group has an ACL that is Inherited. A similar ACL will be there for the namespaces as well.