Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Overview
The Active Directory directory service is an integral component of network infrastructures that
are based on the Microsoft Windows Server Server 2003, Standard Edition; Windows
Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition, and
Windows 2000 Server, Windows 2000 Advanced Server, and Windows 2000 Datacenter
Server operating systems. Successful management of Active Directory environments requires
distribution of administrative responsibilities among multiple administrators according to
organizational, operational, legal, and administrative requirements. Having the necessary
background information, requirements, practices, and recommendations can help you delegate
administration to more securely and efficiently manage Active Directory services and data.
Abstract
Active Directory provides an enterprise-ready, scalable, distributed directory service that allows
organizations to centrally manage and share information about network resources and users, and
is at the heart of distributed network security in a Windows Serverbased enterprise. Active
Directory thus plays a major role in accomplishing the business goals of your organization, and
your ability to successfully manage Active Directory has a direct bearing on your ability to
accomplish these goals.
Delegation of administration, a key capability of Active Directory, provides a means to
successfully manage an Active Directory environment. This document discusses in depth the
issues involved in delegating administrative responsibilities, and can help you plan for,
implement, and maintain an administrative delegation model that allows secure and efficient
management of Active Directory.
Scope
This document provides all the information required to create, implement, and maintain a
security-conscious and efficient delegation model to manage your Active Directory
environments. This information includes an overview of delegation, in-depth explanations of the
rationale for delegation, technical descriptions of how delegation works in Active Directory,
processes for creating delegation models for both service and data management, the steps needed
to implement and maintain the models, and a detailed case study. Appendices to this document
provide an exhaustive reference, including a comprehensive list of Active Directory
administrative tasks and associated permissions required to delegate every administrative task in
Active Directory.
This document does not include Active Directory deployment instructions or recommendations.
For information about planning and deploying an Active Directory environment, see Designing
and Deploying Directory and Security Services of the Microsoft Windows Server 2003
Deployment Kit on the Web at http://go.microsoft.com/fwlink/?LinkID=4719.
Intended Audience
This document is intended for Information Technology (IT) professionals who are responsible
for managing an Active Directory environment. In most IT infrastructures that consist of multiple
integrated components and services, the responsibility to deliver a specific component or service
is typically entrusted to a component or service owner, who is responsible for the overall
delivery of the component or service.
Ownership of Active Directory environments should be entrusted to two specific owners or
owner groups, whose roles are typically strategic and managerial service owners and data
owners. Service owners and data owners have general, overriding responsibility for Active
Directory. These usually high-ranking managers are respectively responsible for ensuring
reliability and security in the delivery of the directory service and for managing the security of
Active Directory content. To that end, they are responsible for delegating and distributing among
their administrators responsibility for managing services and content. They do so by creating an
administrative delegation model, which documents the distribution of administrative
responsibilities among various administrative personnel.
Administrative responsibilities for delegating Active Directory management are divided
between:
Data owners, who are responsible for maintaining the information that is stored in or
protected by the Active Directory directory service, including:
o Management of user and computer accounts.
o Management of local resources, such as member servers and workstations and the
data they store.
Service administrators, who represent the operational arm of service owners and are
responsible for carrying out the tasks that are required to maintain the delivery of the
directory service.
Data administrators, who represent the operational arm of data owners and are
responsible for carrying out the tasks that are required to manage the content that is
stored in or protected by Active Directory.
This document is intended for service and data owners to help them create a security conscious
and efficient administrative delegation model that is tailored to the specific requirements of their
organization. It is also intended for the service and data administrators who are responsible for
implementing the delegation model.
To accommodate the needs of these different stakeholders, the information in this document is
divided into four chapters, a case study and an extensive appendices, as follows: