My preferred method is as follows.
Keep OU Names simple and linked to object type or organization delegation
type. Use the description attribute on each OU to describe the OU instead
of making the RDN and DN describe the OU. Also Look at third party products
if you have to do multiple delegations and need to control content being
entered. I am a big fan of Aelita's EDM 5.0 for both its 32bit interface
and its web interface and ADSI provider.
Here is a pretty good strategy.
<Root>
-AD
+ Delegation Description
=============================================
+Users Del#1/Users
+Computers Del#1/Computers
-Groups Del#1/Groups
+Org Del#1/Groups/Org
+DL Del#1/Groups/DL
-OPS Del#1/OPS
+Services Del#1/Services
+Accounts Del#1/Accounts
+Contacts Del#1/Contacts
+Servers Del#1/Servers
+Resources Del#1/Resources
+ Delegation Description
+Users Del#2/Users
+Computers Del#2/Computers
-Groups Del#2/Groups
+Org Del#2/Groups/Org
+DL Del#2/Groups/DL
-OPS Del#2/OPS
+Services Del#2/Services
+Accounts Del#2/Accounts
+Contacts Del#2/Contacts
+Servers Del#2/Servers
+Resources Del#2/Resources
When doing searches it is easier to search on description than on OU or CN.
When programming it is easer to program names that are simple and short. If
you named your OU Del #1 Users. Technically it is supported, but
administratively it is a nightmare.
For delegation to work properly you need to separate the role of Domain
Administrators (Directory Admins) and each delegated Admin of a OU (Data
Admins).
Directory Admins are responsible for creating Delegation and managing the
physical security, patch level, disaster recovery, and operation of the
Domain Controllers.
Data Admins are responsible for creating the users, groups, and resource
accounts within the directory.
Data Administration can be divided up as many ways as you see fit, I have a
rule of three.
Full Admin: Full Control over managing OU and resources.
Helpdesk Admin: Ability to reset certain passwords, update attributes on
certain objects, create new computer accounts and modify membership of ORG
and DL groups. Read Access to Operations.
Server Admin: Ability to do Help desk tasks as well as manage server and
resource objects in OPS OU.
Services Admins: Ability to manage service accounts and is the only one
delegated to be able to modify the object other than the system account.
Through the use of third-party tools you can pretty easily create recurring
roles, and limit the object type that can be created in a OU, dynamically
populate groups, add validation to field entry, and a host of other
important identity management tasks.
I also recommend that you use GPO's to restrict group memberships to certain
key groups so they can't be hijacked by hackers or rogue admins.
Todd
-----Original Message-----
From: Thommes, Michael M. [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 19, 2003 4:45 PM
To: Active Directory Mailing List (E-mail)
Subject: [ActiveDir] suggestions for OU delegation information sources
Hi All!
As we continue to "flesh out" our AD structure, we are trying to give
delegation authority for various objects in OUs to the appropriate groups.
Being a "control freak", I don't want to give these groups full control over
all of the objects in the OU since this is also where our user accounts sit.
We've done some experimenting with modifying the delegwiz.inf file to create
custom templates but find that information for exact permissions needed to
do a particular task is somewhat scarce. Has anyone put together a custom
delegwiz.inf file that we could "borrow" from? Is there any literature out
there regarding delegation that someone would recommend? Any help is always
appreciated! Thanks!
Mike Thommes
Argonne National Laboratory
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
