Step 3 — Hand Off Data Management to Contoso Data Administrators
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Before the data management administrative delegation model can be implemented, control over data needs to be transferred to data administrators. Conceptually, the service owner hands off ownership and responsibility of content management to data owners. From an implementation perspective, high-level service administrators, who represent the service owners, delegate full control of business unit content to data administrators, who represent data owners.
Service administrators perform the following tasks to hand off data management:
Create a Business Units OU in each domain, and one OU for every business unit within the Business Units OU in each domain.
Contoso has decided not to use the forest root domain for storing business accounts, but to store all business unit data in the NOAM and Europe regional domains.
Create a Delegation OU in each domain to store the security groups that represent the instances of Business Unit Admins roles.
Create security groups to represent the Business Unit Admins role instances.
Grant the security groups full control over the respective business unit OUs.
Optionally, grant these security groups the ability to modify their own group memberships.
Create user accounts for the Business Unit Admins role holders.
Add Business Unit Admins user accounts to the respective security groups that represent instances of this role.
Creating a Business Units OU Hierarchy in Each Domain
A member of Domain Configuration Operators in each domain creates one OU called Business Units in the respective domain. Below this OU, the administrator creates one OU for each business unit.
The following steps are performed by a member of NOAM Domain Config Ops and Europe Config Ops in their respective domains.
Create Business Units OU roots for each domain by creating the objects in Table 26.
Table 26 Business Units OUs for NOAM and Europe Domains
Object DN Object Class OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
organizationalUnit
OU=Business Units,DC= europe,DC=concorp,DC=contoso,DC=com
organizationalUnit
Create one OU for each business unit within the Business Units OU in each domain by creating the objects in Table 27.
Table 27 OUs for Each Business Unit in NOAM and Europe Domains
Object DN Object Class OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
organizationalUnit
OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso, DC=com
organizationalUnit
OU=BusMgmt,DC=noam,DC=concorp,DC=contoso,DC=com
organizationalUnit
OU=BusMgmt,DC= europe,DC=concorp,DC=contoso,DC=com
organizationalUnit
OU=IT,DC=noam,DC=concorp,DC=contoso,DC=com
organizationalUnit
OU=IT,DC=europe,DC=concorp,DC=contoso,DC=com
organizationalUnit
Creating a Delegation OU in Each Domain
In each domain that will store business unit data, a member of the Domain Configuration Operators role for each domain (NOAM Domain Config Ops and Europe Domain Config Ops) creates one OU named Delegation within the Business Units OU for the domain. This OU is used to store the security groups that represent as many instances of the Business Unit Admins role as are needed (usually equal to the number of business units in the domain). It is also used to store any data management roles that need to be granted administrative authority across all business units.
To create the Delegation OUs, a Domain Configuration Operator for each domain creates the objects in Table 28.
Table 28 Delegation OUs for each Domain in NOAM and Europe
Object DN | Object Class |
---|---|
OU=Delegation,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com |
organizationalUnit |
OU=Delegation,OU=Business Units,DC=europe,DC=concorp,DC=contoso,DC=com |
organizationalUnit |
Figure 13 shows the resulting domain and OU structures for NOAM and Europe.
Creating Security Groups to Represent the Business Unit Admins Role Instances
The Domain Configuration Operator next creates one security group to represent each instance of the Business Unit Admins role for each business unit in the respective domains.
Table 29 shows the group objects that the Domain Configuration Operators create in the Delegation OU within the Business Units OUs in the respective domains.
Table 29 OUs for Each Business Unit in NOAM and Europe Domains
Object DN | Object Class |
---|---|
CN=RandD Bus Unit Admins,OU=Delegation,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com |
Security group |
CN=Production Bus Unit Admins,OU=Delegation,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com |
Security group |
CN=BusMgmt Bus Unit Admins,OU=Delegation,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com |
Security group |
CN=BusMgmt Bus Unit Admins,OU=Delegation,OU=Business Units,DC=europe,DC=concorp,DC=contoso,DC=com |
Security group |
CN=IT Bus Unit Admins,OU=Delegation,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com |
Security group |
CN=IT Bus Unit Admins,OU=Delegation,OU=Business Units,DC=europe,DC=concorp,DC=contoso,DC=com |
Security group |
Figure 14 shows the domain and OU structures for each domain, including the security groups within their respective Delegation OUs.
Granting Business Unit Admins Full-Control Over Business Unit OUs
The Domain Configuration Operators for each domain grant each instance of the Business Unit Admins role full control over their respective business unit OUs in the domain. To do so, they modify the permissions on each business unit OU and grant the appropriate security group full control over the OU.
Table 30 shows the business unit OUs and the respective security groups that represent the Business Unit Admins role and receive Full Control permissions on the OU.
Table 30 OUs and Business Unit Admins Groups That Receive Full Control
OUs | Allow Full Control To |
---|---|
OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com |
RandD Bus Unit Admins |
OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com |
Production Bus Unit Admins |
OU=BusMgmt,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com |
BusMgmt Bus Unit Admins |
OU=IT,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com |
IT Bus Admins |
OU=BusMgmt,OU=Business Units,DC=europe,DC=concorp,DC=contoso,DC=com |
BusMgmt Bus Admins |
OU=IT,OU=Business Units,DC=europe,DC=concorp,DC=contoso,DC=com |
IT Bus Admins |
Granting the Ability to Modify Administrative Group Memberships
In some cases, the Domain Configuration Operators group might grant security groups that represent the various role instances of the Business Unit Admins role sufficient permissions to modify the membership of these groups. The objective is to allow Business Unit Admins the ability to control their own group membership. Based on the administrative requirements of the Contoso organization, the service owners decide to grant this ability to the groups that represent instances of the Business Unit Admins role.
To enable group members to change the membership of their respective groups, a member of NOAM Domain Config Ops and Europe Domain Config Ops grants to each Business Admins security group the Write property permission to modify the Member attribute on their own group object:
A member of the NOAM Domain Config Ops group grants each of the following security groups permission to modify the Member attribute on the object that represents the respective security group:
RandD BU Admins
Production BU Admins
BusMgmt BU Admins
IT BU Admins
A member of the Europe Domain Config Ops group grants each of the following security groups permission to modify the Member attribute on the object that represents the respective security group:
BusMgmt BU Admins
IT BU Admins
At this point, all of the Business Unit Admins roles have been enabled by creating the Business Unit Admins groups and granting them permissions to manage their respective OUs. To delegate the roles, the Domain Configuration Operators next create the user accounts that will perform each role and add them to the appropriate groups.
Creating User Accounts for Business Unit Admins Groups
Data owners for each business group have communicated the identities of the users who will serve as the Business Unit Admins to the Domain Configuration Operators. The Domain Configuration Operators create these user accounts in the respective business unit OUs, as shown in Table 31.
Table 31 Business Unit Administrator Accounts
Business Unit/Domain | Business Unit Admins Role Assignments |
---|---|
RandD/NOAM |
John Chris |
Production/NOAM |
Mary Joe |
Bus Mgmt/NOAM |
Sally |
IT/NOAM |
Kevin |
Bus Mgmt/Europe |
Frank |
IT/Europe |
Anna |
Accordingly, the Domain Config Operators, on behalf of the service owners, create the following user objects:
CN=John,OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
CN=Chris,OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
CN=Mary,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
CN=Joe,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
CN=Sally,OU=BusMgmt,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
CN=Frank,OU=BusMgmt,OU=Business Units,DC=europe,DC=concorp,DC=contoso,DC=com
CN=Kevin,OU=IT,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
CN=Anna,OU=IT,OU=Business Units,DC=europe,DC=concorp,DC=contoso,DC=com
Note that user accounts for Business Unit Admins of the BusMgmt and IT business units are created in different domains in order to spread them across all domains that have the same business unit.
Adding Business Unit Admins User Accounts to Administrative Security Groups
To actually delegate the Business Unit Admins role and to complete the data management handoff, the Domain Configuration Operators add the users whose accounts they have created to the security groups that represent the respective Business Unit Admins roles.
Table 32 shows the resulting Business Unit Admins group memberships. At this point, the data management handoff is complete. All Business Unit Admins have full control over their business unit OUs.
Table 32 Business Unit Admin Role Security Groups and Added Members
Group for Business Unit Admins Role | User Accounts | Business Unit OU | Domain |
---|---|---|---|
RandD BU Admins |
John Chris |
RandD |
NOAM |
Production BU Admins |
Mary Joe |
Production |
NOAM |
Bus Mgmt BU Admins |
Frank |
Bus Mgmt |
NOAM |
IT BU Admins |
Kevin |
IT |
NOAM |
Bus Mgmt BU Admins |
Sally |
Bus Mgmt |
Europe |
IT BU Admins |
Anna |
IT |
Europe |