Step 4 — Create the Contoso Data Management Administrative Delegation Model
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
With the business unit OUs and Business Unit Admins role instances in place, Contoso data owners are ready to create their delegation model according to the following criteria:
Objective: Create a delegation model to distribute data management among data administrators by enabling efficient, security-conscious delegation and distribution of administrative responsibilities among various administrative groups
Stakeholders: Data owners of all business units
Approach: Each business unit data owner creates a delegation model for his or her business unit data, as follows:
Understand administrative delegation and Group Policy application requirements.
Create an OU structure that meets administrative delegation and Group Policy application requirements.
Identify the number of instances of each data management role according to business unit requirements and identify the administrative personnel who are assigned to each role.
Contoso has four business units spread across two domains and six locations. Table 33 shows the locations of the users, workstations, and servers that are managed by each business unit.
Table 33 Distribution of Users, Workstations, and Servers in Contoso Business Units
| Business Units | Locations | Users | Workstations | Servers |
|---|---|---|---|---|
Research and Development |
Chicago |
5,000 |
10,000 |
1000 |
Production |
Atlanta |
3,000 |
5,000 |
520 |
Business Management |
Chicago, New York, London, Paris, Rome |
5,500 |
7,000 |
250 |
IT |
Chicago, Atlanta, New York, London, Paris, Rome |
2,500 |
5,000 |
100 |
Table 34 shows the distribution of servers across the Contoso business units by type of server.
Table 34 Distribution of Servers by Type in Contoso Business Units
| Business Unit | File Servers | Web Servers | Database Servers | Application Servers |
|---|---|---|---|---|
RandD |
800 |
50 |
100 |
50 |
Production |
300 |
20 |
100 |
100 |
Bus Mgmt |
120 |
45 |
50 |
35 |
IT |
30 |
30 |
20 |
20 |
To support the delegation model, Contoso assigns the following data management roles:
Account Admins
Workstation Admins
Resource Admins
Application-specific roles
Custom roles
Creating the Delegation Model for the RandD Business Unit
This business unit is based in Chicago and is the main research and development unit. All of its 500 employees are located in a single building. The workstation-to-employee ratio is roughly 2:1, resulting in a total of 1,000 workstations. Additionally, there are about 1,000 servers, including file, Web, database, and application servers.
Servers play different roles and are administered by different groups of administrators, depending on the resource to which they belong.
Table 35 shows the number of users, workstations, and servers that are stored in the RandD business unit in the Chicago location.
Table 35 Users, Workstations, and Servers in the RandD Business Unit
| Location | Users | Workstations | Servers |
|---|---|---|---|
Chicago |
5,000 |
10,000 |
1,000 |
Table 36 shows the numbers of server types that RandD stores.
Table 36 Distribution of Server Types in RandD Business Unit
| Location | File Servers | Web Servers | Database Servers | Application Servers |
|---|---|---|---|---|
Chicago |
800 |
50 |
100 |
50 |
RandD Administrative and Group Policy Requirements
Administrative requirements for the RandD business unit include the management of users, workstations, and resources, as follows:
User Account Management. All users are managed by a single account management team.
Workstation Management. All workstations are managed by a single workstation management team that is located on site.
Resource Management. Four types of resources must be managed: file servers, Web portals, database servers, and applications that are hosted on servers. For every type of resource, there is one administrative group that has overall responsibility for that type of resource. These administrative groups require the ability to sub-delegate resource management to different administrative teams.
Group Policy requirements include the settings that must be applied for different types of user accounts, for workstations (both desktop and portable computers), and for resources according to resource type, as follows:
User Accounts. Requirements for folder redirection and other user configuration settings necessitate that different Group Policy settings be applied for development accounts and research accounts.
Workstations. Requirements for scripts and other computer configuration settings necessitate that different Group Policy settings be applied for desktop and portable computers.
Resources. Computer configuration settings necessitate that different Group Policy settings be applied for different kinds of resources and might require the application of specific Group Policy settings for the various specific resources.
RandD OU Structure Based on Administrative and Group Policy Requirements
Figure 15 shows the OU structure for the RandD OU that accommodates its administrative and Group Policy requirements.
.gif "fb60d836-d8d9-4ba6-b95e-bdd34d5afc81")
Table 37 shows the rationale for the OU structure shown in Figure 15.
Table 37 Purpose of Each OU in the RandD Business Unit OU Hierarchy
| Organizational Unit | Purpose |
|---|---|
User Accounts |
Main OU to store user accounts Delegation point for Account Admins role |
User Accounts\Research |
Used to apply Group Policy for research user accounts |
User Accounts\Development |
Used to apply Group Policy for development user accounts |
Workstations |
Main OU to store computer accounts for workstations Delegation point for Workstation Admins role |
Workstations\Desktops |
Used to apply Group Policy for computer accounts for desktops |
Workstations\Laptops |
Used to apply Group Policy for computer accounts for laptops |
Resources |
Main OU to store computer accounts for servers hosting resources Delegation point for Resource Admins role |
Resources\File Servers |
Main OU to store computer accounts for file servers Used to apply Group Policy for file servers |
Resources\Web Servers |
Main OU to store computer accounts for Web servers Used to apply Group Policy for Web servers |
Resources\Database Servers |
Main OU to store computer accounts for database servers Used to apply Group Policy for database servers |
Resources\Application Servers |
Main OU to store computer accounts for application servers Used to apply Group Policy for application servers |
RandD Role Instances Based on Business Unit Requirements
On the basis of the RandD business unit requirements, the following role instances must be created:
User Account management. Because a single group is responsible for all aspects of user account management, one instance of the Account Admins role should meet the requirements.
Workstation management. Because a single group is responsible for all aspects of workstation account management, one instance of the Workstation Admins role should meet the requirements.
Resource management. Because a single administrative group has overall responsibility for resource account management, one instance of the Resource Admins role is required for this group. Additionally, this group requires the ability to sub-delegate authority to other administrative groups and thus is responsible for creating as many instances of the Resource Admins role as needed.
Note that the role instance for the single Resource Admins group that has power to sub-delegate encompasses all aspects of resource administration. Although the specific instances that are sub-delegated receive more limited authority, they are still Resource Admin roles. By granting this one Resource Admins role the ability to sub-delegate, the data owners understand that they are effectively granting this role instance the ability create OUs, and hence to create data such as users and workstations. Although the data owners have made these actions technically possible for the administrators to whom the role is delegated, the data owners have implemented specific business policies stating that should these Resource Admins misuse their granted authority, they will be subject to punitive action up to and including termination of employment.
Table 38 shows the model creation template that the data owners fill out to document the RandD Account Admins role.
Table 38 Model Creation Template for RandD Account Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
RandD Account Admins |
Instance of |
Account Admins |
Instance Number |
1 of 1 |
Assigned Administrators |
Joe, Mike, Sara, Kevin |
Assigned Tasks |
Manage all aspects of account management |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation/Implementation |
Table 39 shows the model creation template that the data owners fill out to document the RandD Workstation Admins role.
Table 39 Model Creation Template for RandD Workstation Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
RandD Workstation Admins |
Instance of |
Account Admins |
Instance Number |
1 of 1 |
Assigned Administrators |
Eugene, Larry, Andy, Peter |
Assigned Tasks |
Manage all aspects of workstation management |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation/Implementation |
Table 40 shows the model creation template that the data owners fill out to document the RandD Resource Admins role.
Table 40 Model Creation Template for RandD Resource Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name: |
RandD Resource Admins |
Instance of: |
Account Admins |
Instance Number: |
1 of n, where n = as many as needed over time |
Assigned Administrators: |
Deborah, Paul |
Assigned Tasks: |
Overall responsibility for all aspects of resource management |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation/Implementation |
Creating the Delegation Model for the Production Business Unit
This business unit is based in Atlanta and is responsible for all content for the Atlanta production facility. Approximately 300 employees work for this business unit and approximately 500 workstations are in use at the production facility. Approximately 320 servers provide various required services.
Atlanta has two physical locations that are approximately five miles apart. The servers in these locations play different roles and are managed by different groups of administrators according to resource type.
Because all data for this business unit is physically located in Atlanta, all of its content is stored only in the noam.concorp.contoso.com domain.
Table 41 shows the number of users, workstations, and servers that are stored in the Production business unit in the Atlanta location.
Table 41 Users, Workstations, and Servers in the Production Business Unit
| Location | Users | Workstations | Servers |
|---|---|---|---|
Atlanta |
300 |
500 |
320 |
Table 42 shows the numbers of server types that Production stores.
Table 42 Distribution of Server Types in the Production Business Unit
| Location | File Servers | Web Servers | Database Servers | Application Servers |
|---|---|---|---|---|
Atlanta |
300 |
20 |
100 |
100 |
Production Administrative and Group Policy Requirements
Administrative requirements for the Production business unit include the management of users, workstations, and resources, as follows:
User Account Management. All user accounts are managed by a single account management team.
Workstation Management. Each physical location has a separate team that is responsible for managing workstations.
Resource Management. Three production applications are run in the production facility. Each application has its own file, Web, database, and application servers. In addition, some file, Web, database, and application servers are common to the entire facility. Each of the three applications has its own administrators, and one group of administrators is responsible for managing the common servers.
Group Policy requirements include the settings that must be applied for different types of user accounts, for workstations (both desktops and laptops), and for resources according to the resource type, as follows:
User Accounts. One common Group Policy applies to all user accounts in the production business unit.
Workstations. Requirements for scripting and other computer configuration settings necessitate different Group Policy settings for desktop and portable computers.
Resources. Computer configuration settings necessitate that different Group Policy settings be applied for different kinds of resources and might require the application of specific Group Policy settings for the various specific resources.
Production OU Structure Based on Administrative and Group Policy Requirements
Figure 16 shows the OU structure for the Production OU that accommodates its administrative and Group Policy requirements.
.gif "6357fc13-1bbc-43aa-aeee-50bbf3fac6e6")
Table 43 shows the rationale for the OU structure shown in Figure 16.
Table 43 Purpose of Each OU in the Production Business Unit OU Hierarchy
| Organizational Unit | Purpose |
|---|---|
Accounts |
Main OU to store accounts Delegation point for Account Admins role |
Workstations |
Main OU to store workstation computer accounts Delegation point for Workstation Admins role |
Workstations\Desktops |
Used to apply Group Policy for desktops |
Workstations\Laptops |
Used to apply Group Policy for portable computers |
Resources |
Main OU to store servers comprising resources |
Resources\Production Application 1 |
Main OU to store all servers that are part of Application 1 — includes file, Web, database and application servers |
Resources\Production Application 2 |
Main OU to store all servers that are part of Application 2 — includes file, Web, database and application servers |
Resources\Production Application 3 |
Main OU to store all servers that are part of Application 3 — includes file, Web, database and application servers |
Resources\Common Resources |
Main OU to store all servers that are part of the common resource pool |
Production Role Instances Based on Business Unit Requirements
On the basis of the Production business unit requirements, the following role instances will be created:
Account Management. Because a single group is responsible for all aspects of account management, one instance of the Account Admins role should meet the requirements.
Workstation Management. Because a different administrative group is required for each of the two physical locations in Atlanta, two instances of the Workstation Admins role should meet the requirements.
Resource Management. Based on the business unit requirements, a total of four Resource Admins role instances is required — one each for the three production applications and one for the common set of resources.
Table 44 shows the model creation template that the data owners fill out to document the Production Account Admins role.
Table 44 Model Creation Template for Production Account Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
Production Account Admins |
Instance of |
Account Admins |
Instance Number |
1 of 1 |
Assigned Administrators |
Sandra |
Assigned Tasks |
Manage all aspects of account management |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 45 shows the model creation template that the data owners fill out to document the Production Workstation Admins role in the first Atlanta location.
Table 45 Model Creation Template for Production Workstation Admins Role in Location 1
| Field | Assignment Information |
|---|---|
Role Instance Name |
Production Location 1 Workstation Admins |
Instance of |
Workstation Admins |
Instance Number |
1 of 2 |
Assigned Administrators |
Michael, Dave |
Assigned Tasks |
Manage all aspects of workstation management for Location 1 |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 46 shows the model creation template that the data owners fill out to document the Production Workstation Admins role in the second Atlanta location.
Table 46 Model creation template for Production Workstation Admins role in Location 2
| Field | Assignment Information |
|---|---|
Role Instance Name |
Production Location 2 Workstation Admins |
Instance of |
Workstation Admins |
Instance Number |
2 of 2 |
Assigned Administrators |
Adam, Charlotte |
Assigned Tasks |
Manage all aspects of workstation management for Location 2 |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 47 shows the model creation template that the data owners fill out to document the Production Resource Admins role for the first application.
Table 47 Model Creation Template for Production Resource Admins Role for Application 1
| Field | Assignment Information |
|---|---|
Role Instance Name |
Production Application 1 Resource Admins |
Instance of |
Resource Admins |
Instance Number |
1 of 4 |
Assigned Administrators |
Nick, Wade |
Assigned Tasks |
Overall responsibility for all aspects of resource management for application 1 |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 48 shows the model creation template that the data owners fill out to document the Production Resource Admins role for the second application.
Table 48 Model Creation Template for Production Resource Admins Role for Application 2
| Field | Assignment Information |
|---|---|
Role Instance Name |
Production Application 2 Resource Admins |
Instance of |
Resource Admins |
Instance Number |
2 of 4 |
Assigned Administrators |
Jennifer, Brad |
Assigned Tasks |
Overall responsibility for all aspects of resource management for application 2 |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 49 shows the model creation template that the data owners fill out to document the Production Resource Admins role for the third application.
Table 49 Model Creation Template for Production Resource Admins Role for Application 3
| Field | Assignment Information |
|---|---|
Role Instance Name |
Production Application 3 Resource Admins |
Instance of |
Resource Admins |
Instance Number |
3 of 4 |
Assigned Administrators |
Scott, Laura |
Assigned Tasks |
Overall responsibility for all aspects of resource management for application 3 |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 50 shows the model creation template that the data owners fill out to document the Production Resource Admins role for the common set of resources.
Table 50 Model Creation Template for Production Resource Admins Role for Common Resources
| Field | Assignment Information |
|---|---|
Role Instance Name |
Production Common Resource Admins |
Instance of |
Resource Admins |
Instance Number |
4 of 4 |
Assigned Administrators |
Jim, Justin |
Assigned Tasks |
Overall responsibility for all aspects of resource management common to the Production business unit |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Creating the Delegation Model for the Bus Mgmt Business Unit
This business unit has two main divisions — business management and sales. The business management unit is based in Chicago and includes the product planning, legal, marketing, and other groups. The marketing and legal business management teams and the sales team are spread over different physical locations across North America and Europe.
Approximately 550 employees work for the Bus Mgmt business unit. The sales division is the largest division, with 400 employees. Each sales representative has a portable computer. All users in this business unit have a portable computer and a desktop, making a total of 700 managed workstations. Additionally, about 250 servers provide various required services.
Table 51 shows the number of user, workstation, and server accounts that are stored in the Bus Mgmt business unit in the Chicago and London locations.
Table 51 Users, Workstations, and Servers in the Bus Mgmt Business Unit
| Locations | Users | Workstations | Servers |
|---|---|---|---|
Chicago, London |
5,500 |
7,000 |
250 |
Table 52 shows the number of user, workstation, and server accounts that are stored in the Bus Mgmt business unit in the Chicago and London locations, separated by each division. Because business unit users are based across two different continents, business unit content is distributed across the two domains noam.concorp.contoso.com and europe.concorp.contoso.com.
Table 52 Users, Workstations, and Servers in the Bus Mgmt Business Unit
| Division | Locations | Users | Workstations | Servers |
|---|---|---|---|---|
Planning |
Chicago |
300 |
600 |
50 |
Marketing |
Chicago, London |
500 |
1,000 |
40 |
Legal |
Chicago, London |
300 |
600 |
30 |
Sales |
Chicago, New York, London, Paris, Rome |
4,000 |
4,000 |
100 |
Other |
Chicago |
400 |
800 |
30 |
Table 53 shows the numbers of server types that Bus Mgmt stores.
Table 53 Distribution of Server Types in Bus Mgmt Business Unit
| Locations | File Servers | Web Servers | Database Servers | Application Servers |
|---|---|---|---|---|
Chicago, London |
120 |
45 |
50 |
35 |
Bus Mgmt Administrative and Group Policy Requirements
Administrative requirements for the Bus Mgmt business unit include the management of users, workstations, and resources, as follows:
User Account Management. All user accounts in North America are centrally managed by one administrative group based in Chicago. All user accounts in Europe are centrally managed by one administrative group based in London.
Workstation Management. Each physical location has a separate team responsible for managing workstations.
Resource Management. All business applications are hosted on servers in Chicago and managed by one administrative group based in Chicago. Each location has one local administrative group responsible for managing all locally hosted resources.
Group Policy requirements include the settings that must be applied for different types of accounts, for workstations (both desktop and portable computers), and for resources according to the resource type, as follows:
User Accounts. All user accounts in North America need one Group Policy for user configuration settings. Similarly, all accounts in Europe need one Group Policy for user configuration settings. Additionally all users in each division need a common user configuration policy.
Workstations. Requirements for scripts and other computer configuration settings necessitate that different Group Policy settings be applied for desktop and portable computers.
Resources. Computer configuration settings necessitate that different Group Policy settings be applied for different kinds of resources and might require the application of specific Group Policy settings for the various specific resources.
Bus Mgmt OU Structure Based on Administrative and Group Policy Requirements
Figure 17 shows the OU structure for the Bus Mgmt OU that accommodates the administrative and Group Policy requirements for the noam.concorp.contoso.com domain.
.gif "d059f94d-b6eb-4298-a8e7-ae41d7211994")
Table 54 shows the rationale for the OU structure for noam.concorp.contoso.com shown in Figure 17.
Table 54 Purpose of Each OU in the Bus Mgmt Business Unit OU Hierarchy in noam.concorp.contoso.com
| Organizational Unit | Purpose |
|---|---|
User Accounts |
Main OU to store user accounts Delegation point for Account Admins role |
User Accounts\Planning |
Used to apply Group Policy for all users in Planning |
User Accounts\Marketing |
Used to apply Group Policy for all users in Marketing |
User Accounts\Legal |
Used to apply Group Policy for all users in Legal |
User Accounts\Sales |
Used to apply Group Policy for all users in Sales |
User Accounts\Other |
Used to apply Group Policy for all other users in the business unit |
Workstations |
Main OU to store workstation computer accounts Delegation point for Workstation Admins role |
Workstations\Chicago |
Used to delegate workstation management for all workstations in Chicago to the local administrative group |
Workstations\New York |
Used to delegate workstation management for all workstations in New York to the local administrative group |
Resources |
Main OU to store servers comprising resources |
Resources\Business Applications |
Used to delegate resource management of all servers involved in hosting all business applications to one administrative group |
Resources\Business Applications\Application 1..n |
Used to collectively store and manage all servers that are part of some business application |
Resources\Chicago |
Used to delegate resource management for all other resources in Chicago to the local administrative group |
Resources\New York |
Used to delegate workstation management for all other resources in New York to the local administrative group |
Resources\X\File, Web, Database, Application servers |
OU Structure to store servers for common resources in location X |
Figure 18 shows the OU structure for the Bus Mgmt OU that accommodates the administrative and Group Policy requirements for the europe.concorp.contoso.com domain.
.gif "91cf3d9f-551e-41ca-be7e-6f862f230331")
Table 55 shows the rationale for the OU structure for europe.concorp.contoso.com shown in Figure 18.
Table 55 Purpose of Each OU in the Bus Mgmt Business Unit OU Hierarchy in europe.concorp.contoso.com
| Organizational Unit | Purpose |
|---|---|
Accounts |
Main OU to store accounts Delegation point for Account Admins role |
Accounts\Legal |
Used to apply Group Policy for all users in Legal |
Accounts\Sales |
Used to apply Group Policy for all users in Sales |
Accounts\Other |
Used to apply Group Policy for all other users in the business unit |
Workstations |
Main OU to store workstation computer accounts Delegation point for the Workstation Admins role |
Workstations\London |
Used to delegate workstation management for all workstations in London to the local administrative group |
Workstations\Paris |
Used to delegate workstation management for all workstations in Paris to the local administrative group |
Workstations\Rome |
Used to delegate workstation management for all workstations in Rome to the local administrative group |
Resources |
Main OU to store servers comprising resources |
Resources\Business Applications |
Used to delegate resource management of all servers involved in hosting all business applications to one administrative group |
Resources\Business Applications\Application 1..n |
Used to collectively store and manage all servers that are part of some business application |
Resources\London |
Used to delegate workstation management for all other resources in London to the local administrative group |
Resources\Paris |
Used to delegate workstation management for all other resources in Paris to the local administrative group |
Resources\Rome |
Used to delegate workstation management for all other resources in Rome to the local administrative group |
Resources\X\ File, Web, Database, Application servers |
OU Structure to store servers for common resources in location X in an organized fashion |
Bus Mgmt Role Instances Based on Business Unit Requirements
On the basis of the Bus Mgmt business unit requirements, the following role instances must be created:
User Account Management. Because one group is responsible for account management for North America and one for Europe, two instances of the Account Admins role will be needed.
Note
One group is instantiated in the noam.concorp.contoso.com domain and one in the europe.concorp.contoso.com domain.
Workstation Management. Because a different administrative group is required for each of the five physical locations, five instances of the Workstation Admins role are required.
Note
Certain groups are shared across both noam.concorp.contoso.com domain and the europe.concorp.contoso.com domain.
Resource Management. Based on the business unit requirements, one Resource Admins role instance is required to manage all servers that belong to all the business applications hosted in Chicago and one instance of the Resource Admins role is required for every physical location of this business unit, for a total of six role instances.
Table 56 shows the model creation template that the data owners fill out to document the Bus Mgmt NOAM Account Admins role.
Table 56 Model Creation Template for Bus Mgmt NOAM Account Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
Business Mgmt NOAM Account Admins |
Instance of |
Account Admins |
Instance Number |
1 of 2 |
Assigned Administrators |
Danielle, Jason |
Assigned Tasks |
Manage all aspects of account management for all accounts in North America |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 57 shows the model creation template that the data owners fill out to document the Bus Mgmt Europe Account Admins role.
Table 57 Model Creation Template for Bus Mgmt Europe Account Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
Business Mgmt Europe Account Admins |
Instance of |
Account Admins |
Instance Number |
2 of 2 |
Assigned Administrators |
Robert, Michelle |
Assigned Tasks |
Manage all aspects of account management for all accounts in Europe |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 58 shows the model creation template that the data owners fill out to document the Bus Mgmt Chicago Workstation Admins role.
Table 58 Model creation template for Bus Mgmt Chicago Workstation Admins role
| Field | Assignment Information |
|---|---|
Role Instance Name |
Business Mgmt Chicago Workstation Admins |
Instance of |
Workstation Admins |
Instance Number |
1 of 5 |
Assigned Administrators |
Janet, Harold |
Assigned Tasks |
Manage all aspects of workstation management for all workstations in Chicago |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 59 shows the model creation template that the data owners fill out to document the Bus Mgmt London Workstation Admins role.
Table 59 Model creation template for Bus Mgmt London Workstation Admins role
| Field | Assignment Information |
|---|---|
Role Instance Name |
Business Mgmt London Workstation Admins |
Instance of |
Workstation Admins |
Instance Number |
2 of 5 |
Assigned Administrators |
Stuart, Ken |
Assigned Tasks |
Manage all aspects of workstation management for all workstations in London |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 60 shows the model creation template that the data owners fill out to document the Bus Mgmt New York Workstation Admins role.
Table 60 Model Creation Template for Bus Mgmt New York Workstation Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
Business Mgmt New York Workstation Admins |
Instance of |
Workstation Admins |
Instance Number |
3 of 5 |
Assigned Administrators |
Linda, Steve |
Assigned Tasks |
Manage all aspects of workstation management for all workstations in New York |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 61 shows the model creation template that the data owners fill out to document the Bus Mgmt Paris Workstation Admins role.
Table 61 Model Creation Template for Bus Mgmt Paris Workstation Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
Business Mgmt Paris Workstation Admins |
Instance of |
Workstation Admins |
Instance Number |
4 of 5 |
Assigned Administrators |
Marc, Sara |
Assigned Tasks |
Manage all aspects of workstation management for all workstations in Paris |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 62 shows the model creation template that the data owners fill out to document the Bus Mgmt Rome Workstation Admins role.
Table 62 Model Creation Template for Bus Mgmt Rome Workstation Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
Business Mgmt Rome Workstation Admins |
Instance of |
Workstation Admins |
Instance Number |
5 of 5 |
Assigned Administrators |
Victor, Rosa |
Assigned Tasks |
Manage all aspects of workstation management for all workstations in Rome |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 63 shows the model creation template that the data owners fill out to document the Bus Mgmt Application Admins role.
Table 63 Model Creation Template for Bus Mgmt Application Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
Business Mgmt Application Admins |
Instance of |
Resource Admins |
Instance Number |
1 of 6 |
Assigned Administrators |
Fred, Glenn |
Assigned Tasks |
Manage all aspects of all business management business unit applications |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 64 shows the model creation template that the data owners fill out to document the Bus Mgmt Chicago Resource Admins role.
Table 64 Model Creation Template for Bus Mgmt Chicago Resource Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
Business Mgmt Chicago Resource Admins |
Instance of |
Resource Admins |
Instance Number |
2 of 6 |
Assigned Administrators |
Kristen, Terry |
Assigned Tasks |
Manage all aspects of other business management business unit resources in Chicago |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 65 shows the model creation template that the data owners fill out to document the Bus Mgmt London Resource Admins role.
Table 65 Model Creation Template for Bus Mgmt London Resource Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
Business Mgmt London Resource Admins |
Instance of |
Resource Admins |
Instance Number |
3 of 6 |
Assigned Administrators |
Ron, Allison |
Assigned Tasks |
Manage all aspects of other business management business unit resources in London |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 66 shows the model creation template that the data owners fill out to document the Bus Mgmt New York Resource Admins role.
Table 66 Model Creation Template for Bus Mgmt New York Resource Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
Business Mgmt New York Resource Admins |
Instance of |
Resource Admins |
Instance Number |
4 of 6 |
Assigned Administrators |
Chris, Julian |
Assigned Tasks |
Manage all aspects of other business management business unit resources in New York |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 67 shows the model creation template that the data owners fill out to document the Bus Mgmt Paris Resource Admins role.
Table 67 Model Creation Template for Bus Mgmt Paris Resource Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
Business Mgmt Paris Resource Admins |
Instance of |
Resource Admins |
Instance Number |
5 of 6 |
Assigned Administrators |
Albert, Emile |
Assigned Tasks |
Manage all aspects of other business management business unit resources in Paris |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 68 shows the model creation template that the data owners fill out to document the Bus Mgmt Rome Resource Admins role.
Table 68 Model Creation Template for Bus Mgmt Rome Resource Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
Business Mgmt Rome Resource Admins |
Instance of |
Resource Admins |
Instance Number |
6 of 6 |
Assigned Administrators |
David, Thomas |
Assigned Tasks |
Manage all aspects of other business management business unit resources in Rome |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Creating the Delegation Model for the IT Business Unit
The IT business unit includes all the administrative personnel responsible for managing all IT resources and providing IT support for Contoso Pharmaceuticals.
Approximately 250 administrative personnel and 500 workstations are distributed across all physical locations of this business unit. Approximately 100 servers provide various services to users. For example, an internal Web-based application allows end-users to report issues and request assistance. One set of servers provides Web-based documentation. Another set of servers provides an internal tracking and monitoring system.
Table 69 shows the number of user accounts, workstations, and servers that are stored in the IT business unit.
Table 69 Users, Workstations, and Servers in the IT Business Unit
| Locations | Users | Workstations | Servers |
|---|---|---|---|
Chicago, Atlanta, New York, London, Paris, Rome |
2,500 |
5,000 |
100 |
Table 70 shows the numbers of server types that the IT business unit stores.
Table 70 Distribution of Server Types in the IT Business Unit
| Business Unit | File Servers | Web Servers | Database Servers | Application Servers |
|---|---|---|---|---|
IT |
30 |
30 |
20 |
20 |
IT Administrative and Group Policy Requirements
Administrative requirements for the IT business unit include the management of accounts, workstations, and resources, as follows:
User account management. All user accounts in the IT business unit in North America are centrally managed by one administrative group based in Chicago. All user accounts in Europe are centrally managed by one administrative group based in London.
Workstation Management. All workstations in the IT business unit are locally managed by separate administrative groups.
Resource Management. All IT applications are hosted on servers in Chicago and managed by one administrative group based in Chicago. Each location has a one local administrative group that is responsible for managing all locally hosted resources.
Group Policy requirements include the settings that must be applied for different types of user accounts, workstations (both desktop and portable computers), and resources according to resource type, as follows:
User Accounts. All user accounts in North America require one Group Policy for user configuration settings. Similarly, all accounts in Europe need one Group Policy for user configuration settings.
Workstations. All workstations in North America require one Group Policy for computer configuration settings and all workstations in Europe need one Group Policy for computer configuration settings.
Resources. Computer configuration settings necessitate that different Group Policy settings be applied for different kinds of resources and might require the application of specific Group Policy settings for the various specific resources.
IT OU Structure Based on Administrative and Group Policy Requirements
Figure 19 shows the OU structure for the IT OU that accommodates the administrative and Group Policy requirements for the noam.concorp.contoso.com domain.
.gif "a0b8bbfa-6d9c-4ea2-a829-65b3b268e5bd")
Figure 20 shows the OU structure for the IT OU that accommodates the administrative and Group Policy requirements for the europe.concorp.contoso.com domain.
.gif "53a76fcb-0833-4b41-bec3-2470205e1c33")
IT Role Instances Based on Business Unit Requirements
On the basis of the IT business unit requirements, the following role instances must be created:
User Account Management. Because one group is responsible for account management for North America and one for Europe, two instances of the Account Admins role are needed.
Note
One group is instantiated in the noam.concorp.contoso.com domain and one in the europe.concorp.contoso.com domain.
Workstation Management. Because a different administrative group is required for each of the five physical locations, five instances of the Workstation Admins role are required.
Note
Certain groups are shared across both noam.concorp.contoso.com domain and the europe.concorp.contoso.com domain.
Resource Management. Based on the business unit requirements, one instance of the Resource Admins role is required to manage all the servers that belong to all the IT applications in Chicago and one instance of the Resource Admins role is required for every physical location where this business unit is located.
Table 71 shows the model creation template that the data owners fill out to document the IT NOAM Account Admins role.
Table 71 Model Creation Template for IT NOAM Account Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
IT NOAM Account Admins |
Instance of |
Account Admins |
Instance Number |
1 of 2 |
Assigned Administrators |
Roderick, Francisco |
Assigned Tasks |
Manage all aspects of acct mgmt for all IT accounts in North America |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 72 shows the model creation template that the data owners fill out to document the IT Europe Account Admins role.
Table 72 Model Creation Template for IT Europe Account Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
IT Europe Account Admins |
Instance of |
Account Admins |
Instance Number |
2 of 2 |
Assigned Administrators |
Eric, Valerie |
Assigned Tasks |
Manage all aspects of acct mgmt for all IT accounts in Europe |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 73 shows the model creation template that the data owners fill out to document the IT Chicago Workstation Admins role.
Table 73 Model Creation Template for IT Chicago Workstation Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
IT Chicago Workstation Admins |
Instance of |
Workstation Admins |
Instance Number |
1 of 5 |
Assigned Administrators |
Larry, John |
Assigned Tasks |
Manage all aspects of workstation mgmt for all IT business unit workstations in Chicago |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 74 shows the model creation template that the data owners fill out to document the IT London Workstation Admins role.
Table 74 Model Creation Template for IT London Workstation Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
IT London Workstation Admins |
Instance of |
Workstation Admins |
Instance Number |
2 of 5 |
Assigned Administrators |
Roland, Jonathan |
Assigned Tasks |
Manage all aspects of workstation mgmt for all IT business unit workstations in London |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 75 shows the model creation template that the data owners fill out to document the IT New York Workstation Admins role.
Table 75 Model Creation Template for IT New York Workstation Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
IT New York Workstation Admins |
Instance of |
Workstation Admins |
Instance Number |
3 of 5 |
Assigned Administrators |
Neil, Paulette |
Assigned Tasks |
Manage all aspects of workstation mgmt for all IT business unit workstations in New York |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 76 shows the model creation template that the data owners fill out to document the IT Paris Workstation Admins role.
Table 76 Model Creation Template for IT Paris Workstation Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
IT Paris Workstation Admins |
Instance of |
Workstation Admins |
Instance Number |
4 of 5 |
Assigned Administrators |
Elliott, Marie |
Assigned Tasks |
Manage all aspects of workstation mgmt for all IT business unit workstations in Paris |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 77 shows the model creation template that the data owners fill out to document the IT Rome Workstation Admins role.
Table 77 Model Creation Template for IT Rome Workstation Admins Role
| Field | Assignment Information |
|---|---|
Field |
Assignment Information |
Role Instance Name: |
IT Rome Workstation Admins |
Instance of |
Workstation Admins |
Instance Number |
5 of 5 |
Assigned Administrators |
Paul, Eleonora |
Assigned Tasks |
Manage all aspects of workstation mgmt for all IT business unit workstations in Rome |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 78 shows the model creation template that the data owners fill out to document the IT Application Admins role.
Table 78 Model Creation Template for IT Application Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name: |
IT Application Admins |
Instance of |
Resource Admins |
Instance Number |
1 of 6 |
Assigned Administrators |
Karen, Luke |
Assigned Tasks |
Manage all aspects of all IT business unit applications |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 79 shows the model creation template that the data owners fill out to document the IT Chicago Resource Admins role.
Table 79 Model Creation Template for IT Chicago Resource Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
IT Chicago Resource Admins |
Instance of |
Resource Admins |
Instance Number |
2 of 6 |
Assigned Administrators |
Perry, Steve |
Assigned Tasks |
Manage all aspects of other IT business unit resources in Chicago |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 80 shows the model creation template that the data owners fill out to document the IT London Resource Admins role.
Table 80 Model Creation Template for IT London Resource Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
IT London Resource Admins |
Instance of |
Resource Admins |
Instance Number |
3 of 6 |
Assigned Administrators |
Jerry, Carol |
Assigned Tasks |
Manage all aspects of other IT business unit resources in London |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 81 shows the model creation template that the data owners fill out to document the IT New York Resource Admins role.
Table 81 Model Creation Template for IT New York Resource Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
IT New York Resource Admins |
Instance of |
Resource Admins |
Instance Number |
4 of 6 |
Assigned Administrators |
Jack, Erica |
Assigned Tasks |
Manage all aspects of other IT business unit resources in New York |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 82 shows the model creation template that the data owners fill out to document the IT Paris Resource Admins role.
Table 82 Model Creation Template for IT Paris Resource Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
IT Paris Resource Admins |
Instance of |
Resource Admins |
Instance Number |
5 of 6 |
Assigned Administrators |
Guy, Lise |
Assigned Tasks |
Manage all aspects of other IT business unit resources in Paris |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |
Table 83 shows the model creation template that the data owners fill out to document the IT Rome Resource Admins role.
Table 83 Model Creation Template for IT Rome Resource Admins Role
| Field | Assignment Information |
|---|---|
Role Instance Name |
IT Rome Resource Admins |
Instance of |
Resource Admins |
Instance Number |
6 of 6 |
Assigned Administrators |
Enrico, Antonella |
Assigned Tasks |
Manage all aspects of other IT business unit resources in Rome |
Security Group |
Implementation |
Permissions Assigned |
Implementation |
Notes |
Creation and implementation |