Administrating the Administrators
See other Security Tip of the Month columns
In many organizations there are multiple network administrators that either do not need or should not have access to network resources that are not meant to be under their control. This limitation is good practice to help protect data and resources from malicious, coerced, or accidental administrative actions.
An organizational unit (OU) is simply a container within a domain. OUs offer an easy way to group users and other security principals, and they provide a mechanism to segment administrative boundaries. In addition, using OUs to provide different Group Policy objects (GPOs) based on server role is an integral piece of the overall security architecture for an organization.
This article is part of the Windows Server 2003 Security Guide available at: http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/sgch00.mspx
Delegating Administration and Applying Group Policy
You can delegate control over a specific OU to a group or an individual by setting specific access control lists (ACLs) on the OU. You can create an OU to contain a group of resource servers to be administered by other users. This gives this group of other users autonomous control over a particular OU, without isolating them from the remainder of the domain.
Administrators that delegate control over specific OUs are likely to be service administrators. At a lower level of authority, users that control the OUs are usually data administrators.
Creating administrative groups gives administrators a way to segment clusters of users, security groups, or servers into containers for autonomous administration. For example, consider the infrastructure servers that reside in a domain. Infrastructure servers include all the non-domain controllers that are running basic network services, including servers running the Dynamic Host Configuration Protocol (DHCP) and Windows Internet Name Service (WINS). All Domain Name System (DNS) servers are running on domain controllers, which are in the Domain Controllers OU. DNS servers in this example are not considered infrastructure servers. Often, an operations group or an infrastructure administration group maintains these servers.
Using an OU can easily provide administrative capabilities to these servers. The basic steps for creating an OU for administration are as follows:
Create an OU called Member Servers.
Within the Member Servers OU, create an OU called Infrastructure.
Move all WINS and DHCP servers into the Infrastructure OU.
Create a global security group called Infrastructure Admins with the appropriate domain accounts added to it.
Run the Delegation of Control Wizard to give the Infrastructure Admins group the setting Full Control of the OU.
After following this procedure, the Infrastructure Admins group should have full control over the Infrastructure OU and over all servers and objects within this OU.
This is only one of many ways of using OUs to provide administrative segmentation. To learn about using OUs for administration in more complex organizations, see Chapter 2, Configuring the Domain Structure in the Windows Server 2003 Security Guide.
Read other security solutions from the Microsoft Solutions for Security and Compliance team.