You may need to grok RBAC for Windows Server 2012

Role Based Access Control (RBAC) isn’t a fad. It’s present in products like Exchange 2010 and is available extensively in the new System Center 2012 suite of products. In a nutshell, RBAC differs from the traditional administrative model which was “this is the specific set of powers you have over all objects in the domain”. With RBAC you have a set of specific powers, but those powers have a limited scope.

I’m wildly speculating that one of the big changes that’s coming down the pipe with the release of Windows Server ‘8’ (I still think it will be called Windows Server 2012) will be the introduction of a greater RBAC structure for Windows Server and Active Directory administration.

The signs are partly there. We know that there is a massive increase in the number of PowerShell cmdlets available to administrators in the next release of Windows Server. It isn’t too long a bow to draw to assume that the structure of RBAC in Exchange 2010 (where you grant the use of specific cmdlets and parameters over a scope of specific Exchange objects) could work with Windows Server 2012. There will probably be the traditional Domain Admins and Enterprise Admins groups, but I’m also wildly speculating that you’ll have the ability to create management roles and scopes, being able to simply and easily create administrative groups that have more defined privileges over specific scopes than the current super powered mega groups.

While you can sort of do this already using the delegation of control wizard, using the Exchange model of collecting cmdlets and parameters for the “what you can do” and object scopes for the “where you can do it” would provide substantially more flexibility than the current “this is the list of tasks you can delegate over this AD object and all its children” of the current system.

With RBAC in Windows Server 8, it will be possible to create administrative groups that are tailored to individual job roles, rather than Superman level groups that allow you to do any job you want because they basically give you every permission that you’d ever need.

But again, this is all wildly uninformed speculation. Windows Server 8 is shipping with a heck of a lot of new PowerShell cmdlets. It just seems to make sense that the admin model used in products like Exchange 2010 will cross over and become the default model for managing traditional Windows Server administration.

Follow me on twitter: @orinthomas

Discuss this Blog Entry 1

on Jan 4, 2012
The ability to delegate fine grained control over specific functionality in Windows has been a sore spot for many years. Microsoft has added RBAC functionality little by little in certain areas, but I agree in that it looks like there will be even more control available in Windows Server 8. I've spent the last several years building enterprise tools, internally, to delegate server admin functions because there has been no easy way to do it so far without giving out full admin access. I'm currently building a commercial product that is laser focused on providing large IT shops with an easy and secure way to delegate administrative privileges on Windows Server 2003 and up. It's called System Frontier. I haven't started testing it with Server 8 yet, but it'll be interesting to see what Microsoft has in store - especially with Jeffrey Snover leading the server division.

Please or Register to post comments.

What's Hyperbole, Embellishment, and Systems Administration Blog?

IT pro Orin Thomas provides true tales, snafus, news, and urban legends for Microsoft Windows system administrators.


Orin Thomas

Orin Thomas is a contributing editor for Windows IT Pro and a Windows Security MVP. He has authored or coauthored more than thirty books for Microsoft Press, founded the Melbourne System Center,...
Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×