Contents Overview 1 Identifying Business Needs 2 Characterizing the IT Organization 4 Developing a Strategy for Administrative Design 5 Developing a Strategy for Delegation 15 Lab A: Designing Delegated Administration 24 Review 35 Module 3: Designing Active Directory to Delegate Administrative Authority Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2000 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows NT, Active Directory, BackOffice, PowerPoint, Visual Basic, and Visual Studio are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Other product and company names mentioned herein may be the trademarks of their respective owners. Project Lead: Andy Sweet (S&T OnSite) Instructional Designers: Andy Sweet (S&T OnSite), Ravi Acharya (NIIT), Sid Benavente, Richard Rose, Kathleen Norton Instructional Design Consultants: Paul Howard, Susan Greenberg Program Managers: Lorrin Smith-Bates (Volt), Megan Camp (Independent Contractor) Technical Contributors: Angie Fultz, Lyle Curry, Brian Komar (3947018 Manitoba, Inc.), Jim Clark (Infotec Commercial Systems), Bill Wade (Excell Data Corporation), David Stern, Steve Tate, Greg Bulette (Independent Contractor), Kathleen Cole (S&T OnSite) Graphic Artist: Kirsten Larson (S&T OnSite) Editing Manager: Lynette Skinner Editor: Jeffrey Gilbert (Wasser) Copy Editor: Patti Neff (S&T Consulting) Online Program Manager: Debbi Conger Online Publications Manager: Arlo Emerson (Aditi) Online Support: Eric Brandt (S&T Consulting) Multimedia Development: Kelly Renner (Entex) Testing Leads: Sid Benavente, Keith Cotton Testing Developer: Greg Stemp (S&T OnSite) Compact Disc and Lab Testing: Testing Testing 123 Production Support: Ed Casper (S&T Consulting) Manufacturing Manager: Rick Terek (S&T OnSite) Manufacturing Support: Laura King (S&T OnSite) Lead Product Manager, Development Services: Bo Galford Lead Product Managers: Dean Murray, Ken Rosen Group Product Manager: Robert Stewart Module 3: Designing Active Directory to Delegate Administrative Authority iii Instructor Notes Microsoft ® Windows ® 2000 Active Directory ™ provides administrators with control over who has access to information in Active Directory. This module identifies strategies for planning the hierarchy of an Active Directory structure that best supports the delegation needs of an organization. The module also discusses how to manage permissions on directory objects and properties. By directly managing permissions, administrators can specify precisely which accounts can access the directory and the level of access that they can have. At the end of this module, students will be able to: ! Identify the administrative needs of an organization that impact an Active Directory design. ! Develop a strategy for administrative design of Active Directory. ! Develop a strategy for administrative delegation at the site, domain, and organizational unit (OU) level. Lab A, Designing Delegated Administration, begins with hands-on exercises in which the student will be given predefined requirements for the delegation of administrative authority within an organization. The student will run a script that implements a delegation design scenario for testing purposes. The student will then examine and test the design against the predefined requirements to determine whether or not the design is successful. In the scenario-based exercises, the students will work in pairs to determine a delegation strategy for a small and a medium organization. The students will create an OU design to meet the business and administrative needs of the organizations and defend their designs to the class. As you lead the discussion, be sure to reinforce best practices and map design decisions back to business needs. Materials and Preparation This section provides you with the materials and preparation needed to teach this module. Required Materials To teach this module, you need the following materials: ! Microsoft PowerPoint ® file 1561b_03.ppt ! Visio 2000 Preparation Tasks To prepare for this module, you should: ! Read all of the materials for this module. ! Complete the lab. ! Practice the demonstration. ! Read the following technical white paper located on the Trainer Materials compact disc: • Chapter 11, “Planning Distributed Security,” of the Windows 2000 Server Resource Kit Deployment Planning Guide Presentation: 75 Minutes Lab: 60 Minutes iv Module 3: Designing Active Directory to Delegate Administrative Authority Instructor Setup for a Lab This section provides setup instructions required to prepare the instructor computer or classroom configuration for a lab. Lab A 1. Make sure you have a share titled \\London\solutions. 2. Stress to the students that the validation portion of the lab will be in two parts: one to delegate authority and another to test it. 3. Make sure the students do not create a design with too many details, such as Group Policy or security groups, for the OU structure in the design portion of the lab. The design should reflect the OU structure only. 4. Be certain to discuss the design exercises with the students after the lab is complete. Demonstration This section provides demonstration procedures that will not fit in the margin notes or are not appropriate for the student notes. Visio 2000 Enterprise Edition ! To start the Visio 2000 Active Directory template 1. Start Visio 2000 Enterprise Edition. 2. Select Choose drawing type in the Create new drawing dialog box and click OK. 3. In the Choose Drawing Type dialog box, select Network Diagram in the Category list, select Active Directory in the Drawing type window, and then click OK. 4. Ensure that Work offline is selected, and then click OK in the Connect to Directory dialog box. ! To start an Active Directory drawing 1. Drag the Domain shape from the Active Directory Objects stencil on the right side of the window on to the drawing page. 2. Use the toolbar at the top of the Visio window to zoom in on the domain shape. 3. Select the shape, and then type nwtraders.msft to name it. Press ESC to accept the change. 4. Drag the Organizational Unit shape from the Active Directory Objects stencil and place it on the existing domain shape. Type Paris and then press ESC. 5. Drag two more Organizational Unit shapes onto the domain shape from the Active Directory Objects stencil. Name the OUs by clicking on them and typing Denver and Singapore. Module 3: Designing Active Directory to Delegate Administrative Authority v 6. Drag an Organizational Unit shape onto the Singapore OU. Type Bangalore and then press ESC. 7. Drag an Organizational Unit shape onto the nwtraders.msft domain and name it Marketing. ! To modify the drawing 1. Select the Marketing OU in the Directory Navigator window and press DELETE. Deleting the OU in the drawing window will only delete it from the drawing. Right-clicking the parent shape and selecting show children will cause the shape to reappear. The only way to permanently delete a shape is to delete it from the Directory navigator. 2. Drag the Bangalore shape in the drawing window so that it is on top of the nwtraders.msft shape. This will move the shape so that it is at the same level as the other OUs. 3. Right-click the nwtraders.msft domain shape and select Layout children. Select one of the Vertical layouts, and then click OK. ! To view other shapes 1. Show students the other shapes that are in the Active Directory objects stencil. 2. View the Active Directory Sites and Services stencil by clicking on Active Directory Sites and Services in the lower left corner of the Visio window. 3. Show students the shapes in this stencil as well. Module Strategy Use the following strategy to present this module: ! Identifying Business Needs Begin the module by describing methods to identify and document the administrative needs of an organization as they relate to an Active Directory design. ! Characterizing the IT Organization This page describes how the Information Technology (IT) organization can be characterized. Emphasize the importance of designing an Active Directory structure to meet IT needs. ! Developing a Strategy for Administrative Design This section describes the different strategies of designing the Active Directory in compliance with the administrative model of the organization. Explain in detail the common strategies used to design an Active Directory hierarchy, and discuss how these strategies can be combined into hybrid hierarchies. ! Developing a Strategy for Delegation The section describes the strategies used for delegating authority. Describe how both object-based and task-based administrative authority can be delegated within an Active Directory structure. Explain the guidelines for determining the appropriate level of delegation. vi Module 3: Designing Active Directory to Delegate Administrative Authority Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. The lab in this module includes a script to be run at the beginning and end of the lab, creating and returning the computer to the default configuration for the course. As a result, there are no lab setup requirements or configuration changes that affect replication or customization. Module 3: Designing Active Directory to Delegate Administrative Authority 1 Overview ! Identifying Business Needs ! Characterizing the IT Organization ! Developing a Strategy for Administrative Design ! Developing a Strategy for Delegation Microsoft ® Windows ® 2000 Active Directory ™ provides network architects with control over information access in Active Directory. By structuring the Active Directory hierarchy and then managing the permissions on directory objects and properties, you can precisely specify the accounts that can access the directory and the level of permissions that they can have. For example, you can give a person authority over user passwords in a particular organizational unit (OU), without giving that person any control over other objects or attributes in Active Directory. This precise specification allows administrators to delegate specific authority over portions of the directory to groups of users, without making directory information vulnerable to unauthorized access. At the end of this module, you will be able to: ! Identify the business needs of an organization that will impact the hierarchical design of Active Directory. ! Develop a strategy for planning an administrative design that facilitates delegation. ! Develop strategies for delegation of administrative authority. Slide Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn about the different strategies that are used to delegate administrative authority by using Active Directory. 2 Module 3: Designing Active Directory to Delegate Administrative Authority Identifying Business Needs Documenting the Administrative Process: #Level of Administration #Who Administers What #Build Flexibility Into Plan Accounting Accounting Accounts Accounts Payable Payable Organizational Chart IT Infrastructure Infrastructure Infrastructure Atlanta Atlanta Seattle Seattle Northwest Northwest Northeast Northeast Southeast Southeast Charlotte Charlotte Information Information Technology Technology Portland Portland Information Information Technology Technology Accounts Accounts Receivable Receivable Logistics Logistics Purchasing Purchasing Human Human Resources Resources Production Production CEO CEO Organizations can delegate administrative authority by granting limited administrative permissions to trusted individuals. Delegation reduces the workload and responsibility of a single administrator. Delegation also safely separates administrative authority from other areas of the organization. Managers who have the appropriate administrative rights can, in turn, delegate administration of a subset of their accounts and resources to other individuals. To support delegation of administrative authority, you should design the Active Directory structure to support the organization’s desired administrative Information Technology (IT) structure. Documenting the Administrative Process Begin by documenting the existing structure of the organization. One strategy is to divide the administrative tasks into categories and then document the administrator or administrators responsible for each category. Once the existing process has been documented, you should work with the planning team to identify areas for improvement. For example, it may be more cost-effective to combine several IT teams from different divisions. You may identify non-IT employees who can assist in the administrative process and reduce the IT staff workload. This allows the IT staff to focus on the areas where their expertise is most needed. Slide Objective To emphasize the importance of identifying the existing administrative process of an organization. Lead-in The Active Directory structure should support an organization’s administrative structure. Key Points Make the Active Directory design support the administrative structure, allowing the ability to delegate administrative tasks, including permission to delegate to the lower layers. Do not try to map to the organizational chart. It’s important to document the way you want to administer your network. Module 3: Designing Active Directory to Delegate Administrative Authority 3 Once the existing and desired processes are identified, use the following as guidelines for your delegation plan: ! Determine the level of administration. Decide what each group should control and at what level in the administrative hierarchy you will delegate administration. The delegation plan should define what permissions a group of users may have for that level of the hierarchy. ! Identify the administrators and the users and resources they administer. This information will help determine the ownership and permissions assignment to the OUs you create to support the delegation plan. An administrator or the object owner must grant users access rights to an object in Active Directory before users can have access to the object. ! Build flexibility into your delegation model. You can grant rights to administrators to manage a small set of users or groups within their area of responsibility and, at the same time, deny rights to manage accounts in other parts of the organization. For example, you may want to grant printer control rights to a small group of users. You may allow certain OU administrators to have Full Control over specific OUs and objects. You may restrict other administrators altogether, so that they are not able to view the OU. 4 Module 3: Designing Active Directory to Delegate Administrative Authority Characterizing the IT Organization ! Centralized IT ! Centralized IT with Decentralized Management ! Decentralized IT ! Outsourced IT Before designing the administrative structure of an organization, you must first characterize your IT organization. The most common IT organizations are: ! Centralized IT. The centralized IT organization reports to a single individual, and is usually the group responsible for all network and information services, although some day-to-day tasks may be delegated to certain groups or departments. ! Centralized IT with Decentralized Management. IT organizations often employ distributed management, where control is spread out across more than one location. In this model, a centrally located core IT team has responsibility for the base infrastructure services, but delegates most of the day-to-day operations to IT groups in branch offices, which provide local administrative support to their users. ! Decentralized IT. This type of organization allows various business units to select an appropriate IT model to serve the needs of each individual unit. This type of organization may have multiple IT groups with varying needs and goals. Whenever there are organization-wide technology initiatives, such as an upgrade to an organization-wide messaging application, the IT groups must work together to implement changes. ! Outsourced IT. Some organizations may choose to outsource all or part of their IT organization. When only parts of the IT organization are outsourced, it becomes imperative that a proper delegation model be implemented. Thus, the internal IT group maintains control of the organization without compromising the service level agreements the outsourced company has committed to provide. For example, if an outsourced company has committed to support the physical infrastructure of an organization’s network, you may choose to create OUs to contain the routers, servers, and any other items over which they may need control. Slide Objective To illustrate the design of a location-based hierarchy. Lead-in An Active Directory delegation strategy should reflect the IT needs of an organization. [...]... (Lightweight Directory Access Protocol) Data Interchange Format, files from current deployments in Active Directory Visio can also export an Active Directory drawing created in Visio to an LDIF file that can, in turn, be imported into a live Active Directory You will use Visio in the lab to document your design decisions 24 Module 3: Designing Active Directory to Delegate Administrative Authority Lab A: Designing. .. running Windows 2000 ! The knowledge and skills to delegate administrative authority by using the Active Directory Users and Computers console ! The knowledge and skills to perform various administrative tasks using the Active Directory Users and Computers console Module 3: Designing Active Directory to Delegate Administrative Authority 25 Lab Setup To complete this lab, you need the following: Your.. .Module 3: Designing Active Directory to Delegate Administrative Authority $ Developing a Strategy for Administrative Design Slide Objective To describe how administrative designs can be organized ! Designing a Hierarchy Based on Location ! Designing a Hierarchy Based on Organization Lead-in ! Designing a Hierarchy Based on Function ! Designing a Hybrid Hierarchy by Location then Organization ! Designing. .. map to the administrative needs of an organization If you design the Active Directory structure to reflect the organizational chart, it may be difficult to delegate administrative authority, because the objects in the Active Directory, such as printers and file shares, may not be grouped in a way that facilitates delegation of administrative authority Because users never see the Active Directory structure,... for delegating authority at different administrative levels ! Creating strategies for planning inheritance of permissions ! Documenting the delegation plan ! Examining guidelines for designing delegation of authority 16 Module 3: Designing Active Directory to Delegate Administrative Authority Determining Delegation Methods Slide Objective To describe the methods that can be used to delegate users... box to start the script d Click OK to finish the script 3 Open Active Directory Users and Computers, and then connect to your domain a 4 Use the Delegation of Control wizard to delegate full control a Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers b If you are not connected to your domain, right-click the domain and select Connect to. .. identified in questions 1 through 6 To finish the exercise, run the \\London\labs\Remove3.vbs script to remove the OUs, users, and groups 30 Module 3: Designing Active Directory to Delegate Administrative Authority Exercise 3 Designing an Administrative Strategy for a Small Organization In this exercise, work with your partners to choose a strategy for delegation of administrative authority for Seven Gables... reduces administrative overhead Module 3: Designing Active Directory to Delegate Administrative Authority 23 Demonstration: Using Visio 2000 Slide Objective To demonstrate Visio 2000 Lead-in In this demonstration, we will explore using Visio 2000, which you will use in the following lab Visio 2000 Enterprise Edition is a drag and drop drawing tool used to document Active Directory designs Visio can import... administrator’s convenience instead of the users’ convenience 7 8 Module 3: Designing Active Directory to Delegate Administrative Authority Characteristics of Organization-based Designs When deciding whether to organize the Active Directory structure by organization, consider the following characteristics of organization-based designs: ! Reflects Business Model An organizational structure tends to better... be able to manage a small set of users or groups within their area of responsibility, such as a container in the Active Directory structure For example, a user can be given the ability to manage printer queues and file resources within a particular OU or among several OUs Module 3: Designing Active Directory to Delegate Administrative Authority 17 Determining Object Ownership Slide Objective To illustrate . are used to delegate administrative authority by using Active Directory. 2 Module 3: Designing Active Directory to Delegate Administrative Authority. Module 3: Designing Active Directory to Delegate Administrative Authority iii Instructor Notes Microsoft ® Windows ® 2000 Active Directory ™