Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Organizations are moving towards a model in which different divisions, structural units, and business units share a common IT infrastructure in order to increase collaboration and reduce the cost of maintaining the IT infrastructure. The IT infrastructure of such organizations often spans multiple organizational and geographic boundaries.
Such an environment might have the following requirements:
Organizational structure requirements. Part of an organization might participate in a shared infrastructure to save costs, but require the ability to operate independently from the rest of the organization.
Operational requirements. An organization or application might place unique constraints on directory service configuration, availability, or security.
Legal requirements. An organization might have legal requirements to operate in a specific manner, such as restricting access to certain information.
Administrative requirements. Different organizations might have different administrative needs, depending on existing and planned IT administration and support models.
The first three requirements express themselves as needs for autonomy and isolation. Autonomy is the ability of the administrators of an organization to independently manage:
All or part of service management (service autonomy).
All of part of the data stored in or protected by Active Directory (data autonomy).
Isolation is the ability of an administrator or an organization to prevent other administrators from:
Controlling or interfering with service management (service isolation).
Controlling or viewing a subset of data in Active Directory or on member computers that are joined to Active Directory the directory (data isolation).
Strict service or data isolation often requires creating a separate forest or domain. Addressing network architecture design considerations for accommodating autonomy and isolation requirements is beyond the scope of this document. Instead, this document addresses the need and process for delegating administrative authority based on an organization’s requirements for administration of its IT resources.
For more information about accommodating autonomy and isolation requirements, see “Designing the Active Directory Logical Structure” in Designing and Deploying Directory and Security Services of the Windows Server 2003 Deployment Kit (or see “Designing the Active Directory Logical Structure” on the Web at https://go.microsoft.com/fwlink/?LinkId=4723).
For the purpose of understanding an organization’s needs for delegating administrative authority, organizations can be classified in the following categories, based on their size:
Small organizations, which typically have 25 to 50 workstations and three to five servers.
Medium organizations, which typically have 50 to 500 workstations and four to five servers.
Large organizations, which typically have at least 500 workstations and 50 servers.
Small and medium organizations typically have one or a few administrative groups that are responsible for managing all aspects of Active Directory. Small and medium organizations might not need to create an extensive delegation model. Large organizations usually have a clear need to distribute and delegate administrative authority to various administrative groups, possibly delegating certain aspects of Active Directory management to centralized teams and delegating other aspects to decentralized teams. While large organizations will find the delegation capabilities of Active Directory most useful, small and medium organizations can also achieve enhanced security, increased control, more accountability, and reduced costs by implementing delegation.