Thông tin tài liệu
Contents
Overview 1
Identifying Business Needs 2
Characterizing the IT Organization 4
Developing a Strategy for Administrative
Design 5
Developing a Strategy for Delegation 15
Lab A: Designing Delegated
Administration 24
Review 35
Module 3: Designing
Active Directory to
Delegate Administrative
Authority
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2000 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Windows NT, Active Directory, BackOffice, PowerPoint, Visual Basic, and
Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the
U.S.A. and/or other countries.
The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.
Other product and company names mentioned herein may be the trademarks of their respective
owners.
Project Lead: Andy Sweet (S&T OnSite)
Instructional Designers: Andy Sweet (S&T OnSite), Ravi Acharya (NIIT), Sid Benavente,
Richard Rose, Kathleen Norton
Instructional Design Consultants: Paul Howard, Susan Greenberg
Program Managers: Lorrin Smith-Bates (Volt), Megan Camp (Independent Contractor)
Technical Contributors: Angie Fultz, Lyle Curry, Brian Komar (3947018 Manitoba, Inc.), Jim
Clark (Infotec Commercial Systems), Bill Wade (Excell Data Corporation), David Stern, Steve
Tate, Greg Bulette (Independent Contractor), Kathleen Cole (S&T OnSite)
Graphic Artist: Kirsten Larson (S&T OnSite)
Editing Manager: Lynette Skinner
Editor: Jeffrey Gilbert (Wasser)
Copy Editor: Patti Neff (S&T Consulting)
Online Program Manager: Debbi Conger
Online Publications Manager: Arlo Emerson (Aditi)
Online Support: Eric Brandt (S&T Consulting)
Multimedia Development: Kelly Renner (Entex)
Testing Leads: Sid Benavente, Keith Cotton
Testing Developer: Greg Stemp (S&T OnSite)
Compact Disc and Lab Testing: Testing Testing 123
Production Support: Ed Casper (S&T Consulting)
Manufacturing Manager: Rick Terek (S&T OnSite)
Manufacturing Support: Laura King (S&T OnSite)
Lead Product Manager, Development Services: Bo Galford
Lead Product Managers: Dean Murray, Ken Rosen
Group Product Manager: Robert Stewart
Module 3: Designing Active Directory to Delegate Administrative Authority iii
Instructor Notes
Microsoft
®
Windows
®
2000 Active Directory
™
provides administrators with
control over who has access to information in Active Directory. This module
identifies strategies for planning the hierarchy of an Active Directory structure
that best supports the delegation needs of an organization. The module also
discusses how to manage permissions on directory objects and properties. By
directly managing permissions, administrators can specify precisely which
accounts can access the directory and the level of access that they can have.
At the end of this module, students will be able to:
!
Identify the administrative needs of an organization that impact an Active
Directory design.
!
Develop a strategy for administrative design of Active Directory.
!
Develop a strategy for administrative delegation at the site, domain, and
organizational unit (OU) level.
Lab A, Designing Delegated Administration, begins with hands-on exercises in
which the student will be given predefined requirements for the delegation of
administrative authority within an organization. The student will run a script
that implements a delegation design scenario for testing purposes. The student
will then examine and test the design against the predefined requirements to
determine whether or not the design is successful. In the scenario-based
exercises, the students will work in pairs to determine a delegation strategy for
a small and a medium organization. The students will create an OU design to
meet the business and administrative needs of the organizations and defend
their designs to the class. As you lead the discussion, be sure to reinforce best
practices and map design decisions back to business needs.
Materials and Preparation
This section provides you with the materials and preparation needed to teach
this module.
Required Materials
To teach this module, you need the following materials:
!
Microsoft PowerPoint
®
file 1561b_03.ppt
!
Visio 2000
Preparation Tasks
To prepare for this module, you should:
!
Read all of the materials for this module.
!
Complete the lab.
!
Practice the demonstration.
!
Read the following technical white paper located on the Trainer Materials
compact disc:
• Chapter 11, “Planning Distributed Security,” of the Windows 2000
Server Resource Kit Deployment Planning Guide
Presentation:
75 Minutes
Lab:
60 Minutes
iv Module 3: Designing Active Directory to Delegate Administrative Authority
Instructor Setup for a Lab
This section provides setup instructions required to prepare the instructor
computer or classroom configuration for a lab.
Lab A
1. Make sure you have a share titled \\London\solutions.
2. Stress to the students that the validation portion of the lab will be in two
parts: one to delegate authority and another to test it.
3. Make sure the students do not create a design with too many details, such as
Group Policy or security groups, for the OU structure in the design portion
of the lab. The design should reflect the OU structure only.
4. Be certain to discuss the design exercises with the students after the lab is
complete.
Demonstration
This section provides demonstration procedures that will not fit in the margin
notes or are not appropriate for the student notes.
Visio 2000 Enterprise Edition
!
To start the Visio 2000 Active Directory template
1. Start Visio 2000 Enterprise Edition.
2. Select Choose drawing type in the Create new drawing dialog box and
click OK.
3. In the Choose Drawing Type dialog box, select Network Diagram in the
Category list, select Active Directory in the Drawing type window, and
then click OK.
4. Ensure that Work offline is selected, and then click OK in the Connect to
Directory dialog box.
!
To start an Active Directory drawing
1. Drag the Domain shape from the Active Directory Objects stencil on the
right side of the window on to the drawing page.
2. Use the toolbar at the top of the Visio window to zoom in on the domain
shape.
3. Select the shape, and then type nwtraders.msft to name it. Press ESC to
accept the change.
4. Drag the Organizational Unit shape from the Active Directory Objects
stencil and place it on the existing domain shape. Type Paris and then press
ESC.
5. Drag two more Organizational Unit shapes onto the domain shape from
the Active Directory Objects stencil. Name the OUs by clicking on them
and typing Denver and Singapore.
Module 3: Designing Active Directory to Delegate Administrative Authority v
6. Drag an Organizational Unit shape onto the Singapore OU. Type
Bangalore and then press ESC.
7. Drag an Organizational Unit shape onto the nwtraders.msft domain and
name it Marketing.
!
To modify the drawing
1. Select the Marketing OU in the Directory Navigator window and press
DELETE.
Deleting the OU in the drawing window will only delete it from the
drawing. Right-clicking the parent shape and selecting show children will
cause the shape to reappear. The only way to permanently delete a shape is
to delete it from the Directory navigator.
2. Drag the Bangalore shape in the drawing window so that it is on top of the
nwtraders.msft shape.
This will move the shape so that it is at the same level as the other OUs.
3. Right-click the nwtraders.msft domain shape and select Layout children.
Select one of the Vertical layouts, and then click OK.
!
To view other shapes
1. Show students the other shapes that are in the Active Directory objects
stencil.
2. View the Active Directory Sites and Services stencil by clicking on Active
Directory Sites and Services in the lower left corner of the Visio window.
3. Show students the shapes in this stencil as well.
Module Strategy
Use the following strategy to present this module:
!
Identifying Business Needs
Begin the module by describing methods to identify and document the
administrative needs of an organization as they relate to an Active Directory
design.
!
Characterizing the IT Organization
This page describes how the Information Technology (IT) organization can
be characterized. Emphasize the importance of designing an Active
Directory structure to meet IT needs.
!
Developing a Strategy for Administrative Design
This section describes the different strategies of designing the Active
Directory in compliance with the administrative model of the organization.
Explain in detail the common strategies used to design an Active Directory
hierarchy, and discuss how these strategies can be combined into hybrid
hierarchies.
!
Developing a Strategy for Delegation
The section describes the strategies used for delegating authority. Describe
how both object-based and task-based administrative authority can be
delegated within an Active Directory structure. Explain the guidelines for
determining the appropriate level of delegation.
vi Module 3: Designing Active Directory to Delegate Administrative Authority
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
The lab in this module includes a script to be run at the beginning and end of
the lab, creating and returning the computer to the default configuration for the
course. As a result, there are no lab setup requirements or configuration changes
that affect replication or customization.
Module 3: Designing Active Directory to Delegate Administrative Authority 1
Overview
! Identifying Business Needs
! Characterizing the IT Organization
! Developing a Strategy for Administrative Design
! Developing a Strategy for Delegation
Microsoft
®
Windows
®
2000 Active Directory
™
provides network architects
with control over information access in Active Directory. By structuring the
Active Directory hierarchy and then managing the permissions on directory
objects and properties, you can precisely specify the accounts that can access
the directory and the level of permissions that they can have. For example, you
can give a person authority over user passwords in a particular organizational
unit (OU), without giving that person any control over other objects or
attributes in Active Directory. This precise specification allows administrators
to delegate specific authority over portions of the directory to groups of users,
without making directory information vulnerable to unauthorized access.
At the end of this module, you will be able to:
!
Identify the business needs of an organization that will impact the
hierarchical design of Active Directory.
!
Develop a strategy for planning an administrative design that facilitates
delegation.
!
Develop strategies for delegation of administrative authority.
Slide Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about the different strategies
that are used to delegate
administrative authority by
using Active Directory.
2 Module 3: Designing Active Directory to Delegate Administrative Authority
Identifying Business Needs
Documenting the
Administrative Process:
#Level of Administration
#Who Administers What
#Build Flexibility Into Plan
Accounting
Accounting
Accounts
Accounts
Payable
Payable
Organizational
Chart
IT
Infrastructure
Infrastructure
Infrastructure
Atlanta
Atlanta
Seattle
Seattle
Northwest
Northwest
Northeast
Northeast
Southeast
Southeast
Charlotte
Charlotte
Information
Information
Technology
Technology
Portland
Portland
Information
Information
Technology
Technology
Accounts
Accounts
Receivable
Receivable
Logistics
Logistics
Purchasing
Purchasing
Human
Human
Resources
Resources
Production
Production
CEO
CEO
Organizations can delegate administrative authority by granting limited
administrative permissions to trusted individuals. Delegation reduces the
workload and responsibility of a single administrator. Delegation also safely
separates administrative authority from other areas of the organization.
Managers who have the appropriate administrative rights can, in turn, delegate
administration of a subset of their accounts and resources to other individuals.
To support delegation of administrative authority, you should design the Active
Directory structure to support the organization’s desired administrative
Information Technology (IT) structure.
Documenting the Administrative Process
Begin by documenting the existing structure of the organization. One strategy is
to divide the administrative tasks into categories and then document the
administrator or administrators responsible for each category.
Once the existing process has been documented, you should work with the
planning team to identify areas for improvement. For example, it may be more
cost-effective to combine several IT teams from different divisions. You may
identify non-IT employees who can assist in the administrative process and
reduce the IT staff workload. This allows the IT staff to focus on the areas
where their expertise is most needed.
Slide Objective
To emphasize the
importance of identifying the
existing administrative
process of an organization.
Lead-in
The Active Directory
structure should support an
organization’s administrative
structure.
Key Points
Make the Active Directory
design support the
administrative structure,
allowing the ability to
delegate administrative
tasks, including permission
to delegate to the lower
layers.
Do not try to map to the
organizational chart.
It’s important to document
the way you want to
administer your network.
Module 3: Designing Active Directory to Delegate Administrative Authority 3
Once the existing and desired processes are identified, use the following as
guidelines for your delegation plan:
!
Determine the level of administration. Decide what each group should
control and at what level in the administrative hierarchy you will delegate
administration. The delegation plan should define what permissions a group
of users may have for that level of the hierarchy.
!
Identify the administrators and the users and resources they administer.
This information will help determine the ownership and permissions
assignment to the OUs you create to support the delegation plan. An
administrator or the object owner must grant users access rights to an object
in Active Directory before users can have access to the object.
!
Build flexibility into your delegation model. You can grant rights to
administrators to manage a small set of users or groups within their area of
responsibility and, at the same time, deny rights to manage accounts in other
parts of the organization. For example, you may want to grant printer
control rights to a small group of users. You may allow certain OU
administrators to have Full Control over specific OUs and objects. You may
restrict other administrators altogether, so that they are not able to view
the OU.
4 Module 3: Designing Active Directory to Delegate Administrative Authority
Characterizing the IT Organization
! Centralized IT
! Centralized IT with Decentralized Management
! Decentralized IT
! Outsourced IT
Before designing the administrative structure of an organization, you must first
characterize your IT organization. The most common IT organizations are:
!
Centralized IT. The centralized IT organization reports to a single
individual, and is usually the group responsible for all network and
information services, although some day-to-day tasks may be delegated to
certain groups or departments.
!
Centralized IT with Decentralized Management. IT organizations often
employ distributed management, where control is spread out across more
than one location. In this model, a centrally located core IT team has
responsibility for the base infrastructure services, but delegates most of the
day-to-day operations to IT groups in branch offices, which provide local
administrative support to their users.
!
Decentralized IT. This type of organization allows various business units to
select an appropriate IT model to serve the needs of each individual unit.
This type of organization may have multiple IT groups with varying needs
and goals. Whenever there are organization-wide technology initiatives,
such as an upgrade to an organization-wide messaging application, the IT
groups must work together to implement changes.
!
Outsourced IT. Some organizations may choose to outsource all or part of
their IT organization. When only parts of the IT organization are
outsourced, it becomes imperative that a proper delegation model be
implemented. Thus, the internal IT group maintains control of the
organization without compromising the service level agreements the
outsourced company has committed to provide. For example, if an
outsourced company has committed to support the physical infrastructure of
an organization’s network, you may choose to create OUs to contain the
routers, servers, and any other items over which they may need control.
Slide Objective
To illustrate the design of a
location-based hierarchy.
Lead-in
An Active Directory
delegation strategy should
reflect the IT needs of an
organization.
[...]... (Lightweight Directory Access Protocol) Data Interchange Format, files from current deployments in Active Directory Visio can also export an Active Directory drawing created in Visio to an LDIF file that can, in turn, be imported into a live Active Directory You will use Visio in the lab to document your design decisions 24 Module 3: Designing Active Directory to Delegate Administrative Authority Lab A: Designing. .. running Windows 2000 ! The knowledge and skills to delegate administrative authority by using the Active Directory Users and Computers console ! The knowledge and skills to perform various administrative tasks using the Active Directory Users and Computers console Module 3: Designing Active Directory to Delegate Administrative Authority 25 Lab Setup To complete this lab, you need the following: Your.. .Module 3: Designing Active Directory to Delegate Administrative Authority $ Developing a Strategy for Administrative Design Slide Objective To describe how administrative designs can be organized ! Designing a Hierarchy Based on Location ! Designing a Hierarchy Based on Organization Lead-in ! Designing a Hierarchy Based on Function ! Designing a Hybrid Hierarchy by Location then Organization ! Designing. .. map to the administrative needs of an organization If you design the Active Directory structure to reflect the organizational chart, it may be difficult to delegate administrative authority, because the objects in the Active Directory, such as printers and file shares, may not be grouped in a way that facilitates delegation of administrative authority Because users never see the Active Directory structure,... for delegating authority at different administrative levels ! Creating strategies for planning inheritance of permissions ! Documenting the delegation plan ! Examining guidelines for designing delegation of authority 16 Module 3: Designing Active Directory to Delegate Administrative Authority Determining Delegation Methods Slide Objective To describe the methods that can be used to delegate users... box to start the script d Click OK to finish the script 3 Open Active Directory Users and Computers, and then connect to your domain a 4 Use the Delegation of Control wizard to delegate full control a Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers b If you are not connected to your domain, right-click the domain and select Connect to. .. identified in questions 1 through 6 To finish the exercise, run the \\London\labs\Remove3.vbs script to remove the OUs, users, and groups 30 Module 3: Designing Active Directory to Delegate Administrative Authority Exercise 3 Designing an Administrative Strategy for a Small Organization In this exercise, work with your partners to choose a strategy for delegation of administrative authority for Seven Gables... reduces administrative overhead Module 3: Designing Active Directory to Delegate Administrative Authority 23 Demonstration: Using Visio 2000 Slide Objective To demonstrate Visio 2000 Lead-in In this demonstration, we will explore using Visio 2000, which you will use in the following lab Visio 2000 Enterprise Edition is a drag and drop drawing tool used to document Active Directory designs Visio can import... administrator’s convenience instead of the users’ convenience 7 8 Module 3: Designing Active Directory to Delegate Administrative Authority Characteristics of Organization-based Designs When deciding whether to organize the Active Directory structure by organization, consider the following characteristics of organization-based designs: ! Reflects Business Model An organizational structure tends to better... be able to manage a small set of users or groups within their area of responsibility, such as a container in the Active Directory structure For example, a user can be given the ability to manage printer queues and file resources within a particular OU or among several OUs Module 3: Designing Active Directory to Delegate Administrative Authority 17 Determining Object Ownership Slide Objective To illustrate . are used to delegate
administrative authority by
using Active Directory.
2 Module 3: Designing Active Directory to Delegate Administrative Authority.
Module 3: Designing Active Directory to Delegate Administrative Authority iii
Instructor Notes
Microsoft
®
Windows
®
2000 Active Directory
™
Ngày đăng: 17/01/2014, 09:20
Xem thêm: Tài liệu Module 3: Designing Active Directory to Delegate Administrative Authority docx, Tài liệu Module 3: Designing Active Directory to Delegate Administrative Authority docx