Chapter 4: Delegating Data Management

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Data management involves managing all aspects of the data stored in or protected by Active Directory. This content includes domain data, which primarily consists of accounts for users and computers, security groups, and application-specific data.

User accounts represent the identities of an organization’s users, and thus data management includes identity management. Security-groups enable aggregation of a set of users for the purpose of authorization, and thus security group management plays a key role in securing an organization’s IT resources. Security group management is also a key data management category. Active Directory–integrated and –enabled applications can store application specific data in Active Directory, and management of application-specific data is also a part of data management.

Finally, computers can be viewed as providing resources in an IT infrastructure. From end-user workstations to file servers, and from hosting a Web farm to running enterprise applications, computers provide resources in an organization’s IT infrastructure. Thus resource management is yet another data management category.

This chapter provides guidance for how to use delegation to provide administrative coverage for all aspects of data management in an Active Directory environment. The chapter presents an overview of the various categories that data management includes and provides recommendations about how to efficiently delegate all aspects of data management in a security-conscious manner.