Information Technology Reference
In-Depth Information
In the world of Active Directory, you delegate to define responsibilities for OU adminis-
trators. As a system administrator, you will occasionally be tasked with having to delegate
responsibility to others—you can't do it all, although sometimes administrators believe that
they can. You understand the old IT logic of doing all of the tasks yourself for job security,
but this can actually make you look worse.
You can delegate control only at the OU level and not at the object level
within the OU.
If you do find yourself in a role where you need to delegate, remember that Windows
Server 2012 R2 was designed to offer you the ability to do so. In its simplest definition,
del-
egation
allows a higher administrative authority to grant specific administrative rights for
containers and subtrees to individuals and groups. What this essentially does is to eliminate
the need for domain administrators with sweeping authority over large segments of the user
population. You can break up this control over branches within your tree, within each OU
you create.
To understand delegation and rights, you should first understand the con-
cept of
access control entries (ACEs)
. ACEs grant specific administrative
rights on objects in a container to a user or group. A container's access
control list (ACL) is used to store ACEs.
When you are considering implementing delegation, keep these two concerns in mind:
Parent-Child Relationships
The OU hierarchy you create will be important when you
consider the maintainability of security permissions. OUs can exist in a parent-child rela-
tionship, which means that permissions and group policies set on OUs higher up in the
hierarchy (parents) can interact with objects in lower-level OUs (children). When it comes
to delegating permissions, this is extremely important. You can allow child containers to
inherit the permissions set on parent containers automatically. For example, if the North
America division of your organization contains 12 other OUs, you could delegate permis-
sions to all of them at once (saving time and reducing the likelihood of human error) by
placing security permissions on the North America division. This feature can greatly ease
administration, especially in larger organizations, but it is also a reminder of the impor-
tance of properly planning the OU structure within a domain.
Inheritance Settings
Now that you've seen how you can use parent-child relationships for
administration, you should consider
inheritance
, the process in which child objects take on
the permissions of a parent container. When you set permissions on a parent container, all
of the child objects are configured to inherit the same permissions. You can override this
behavior, however, if business rules do not lend themselves well to inheritance.
Search WWH ::
Custom Search