Step 3 — Hand Off Data Management to Contoso Data Administrators

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Before the data management administrative delegation model can be implemented, control over data needs to be transferred to data administrators. Conceptually, the service owner hands off ownership and responsibility of content management to data owners. From an implementation perspective, high-level service administrators, who represent the service owners, delegate full control of business unit content to data administrators, who represent data owners.

Service administrators perform the following tasks to hand off data management:

1. Create a Business Units OU in each domain, and one OU for every business unit within the Business Units OU in each domain.

   Contoso has decided not to use the forest root domain for storing business accounts, but to store all business unit data in the NOAM and Europe regional domains.

2. Create a Delegation OU in each domain to store the security groups that represent the instances of Business Unit Admins roles.

3. Create security groups to represent the Business Unit Admins role instances.

4. Grant the security groups full control over the respective business unit OUs.

5. Optionally, grant these security groups the ability to modify their own group memberships.

6. Create user accounts for the Business Unit Admins role holders.

7. Add Business Unit Admins user accounts to the respective security groups that represent instances of this role.

Creating a Business Units OU Hierarchy in Each Domain

A member of Domain Configuration Operators in each domain creates one OU called Business Units in the respective domain. Below this OU, the administrator creates one OU for each business unit.

The following steps are performed by a member of NOAM Domain Config Ops and Europe Config Ops in their respective domains.

1. Create Business Units OU roots for each domain by creating the objects in Table 26.

   Table 26   Business Units OUs for NOAM and Europe Domains

   Object DN	Object Class
   OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com	organizationalUnit
   OU=Business Units,DC= europe,DC=concorp,DC=contoso,DC=com	organizationalUnit

2. Create one OU for each business unit within the Business Units OU in each domain by creating the objects in Table 27.

   Table 27   OUs for Each Business Unit in NOAM and Europe Domains

   Object DN	Object Class
   OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com	organizationalUnit
   OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso, DC=com	organizationalUnit
   OU=BusMgmt,DC=noam,DC=concorp,DC=contoso,DC=com	organizationalUnit
   OU=BusMgmt,DC= europe,DC=concorp,DC=contoso,DC=com	organizationalUnit
   OU=IT,DC=noam,DC=concorp,DC=contoso,DC=com	organizationalUnit
   OU=IT,DC=europe,DC=concorp,DC=contoso,DC=com	organizationalUnit

Creating a Delegation OU in Each Domain

In each domain that will store business unit data, a member of the Domain Configuration Operators role for each domain (NOAM Domain Config Ops and Europe Domain Config Ops) creates one OU named Delegation within the Business Units OU for the domain. This OU is used to store the security groups that represent as many instances of the Business Unit Admins role as are needed (usually equal to the number of business units in the domain). It is also used to store any data management roles that need to be granted administrative authority across all business units.

To create the Delegation OUs, a Domain Configuration Operator for each domain creates the objects in Table 28.

Table 28  Delegation OUs for each Domain in NOAM and Europe

Figure 13 shows the resulting domain and OU structures for NOAM and Europe.

Creating Security Groups to Represent the Business Unit Admins Role Instances

The Domain Configuration Operator next creates one security group to represent each instance of the Business Unit Admins role for each business unit in the respective domains.

Table 29 shows the group objects that the Domain Configuration Operators create in the Delegation OU within the Business Units OUs in the respective domains.

Table 29   OUs for Each Business Unit in NOAM and Europe Domains

Figure 14 shows the domain and OU structures for each domain, including the security groups within their respective Delegation OUs.

Granting Business Unit Admins Full-Control Over Business Unit OUs

The Domain Configuration Operators for each domain grant each instance of the Business Unit Admins role full control over their respective business unit OUs in the domain. To do so, they modify the permissions on each business unit OU and grant the appropriate security group full control over the OU.

Table 30 shows the business unit OUs and the respective security groups that represent the Business Unit Admins role and receive Full Control permissions on the OU.

Table 30   OUs and Business Unit Admins Groups That Receive Full Control

Granting the Ability to Modify Administrative Group Memberships

In some cases, the Domain Configuration Operators group might grant security groups that represent the various role instances of the Business Unit Admins role sufficient permissions to modify the membership of these groups. The objective is to allow Business Unit Admins the ability to control their own group membership. Based on the administrative requirements of the Contoso organization, the service owners decide to grant this ability to the groups that represent instances of the Business Unit Admins role.

To enable group members to change the membership of their respective groups, a member of NOAM Domain Config Ops and Europe Domain Config Ops grants to each Business Admins security group the Write property permission to modify the Member attribute on their own group object:

• A member of the NOAM Domain Config Ops group grants each of the following security groups permission to modify the Member attribute on the object that represents the respective security group:

  • RandD BU Admins

  • Production BU Admins

  • BusMgmt BU Admins

  • IT BU Admins

• A member of the Europe Domain Config Ops group grants each of the following security groups permission to modify the Member attribute on the object that represents the respective security group:

  • BusMgmt BU Admins

  • IT BU Admins

At this point, all of the Business Unit Admins roles have been enabled by creating the Business Unit Admins groups and granting them permissions to manage their respective OUs. To delegate the roles, the Domain Configuration Operators next create the user accounts that will perform each role and add them to the appropriate groups.

Creating User Accounts for Business Unit Admins Groups

Data owners for each business group have communicated the identities of the users who will serve as the Business Unit Admins to the Domain Configuration Operators. The Domain Configuration Operators create these user accounts in the respective business unit OUs, as shown in Table 31.

Table 31   Business Unit Administrator Accounts

Accordingly, the Domain Config Operators, on behalf of the service owners, create the following user objects:

• CN=John,OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com

• CN=Chris,OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com

• CN=Mary,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com

• CN=Joe,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com

• CN=Sally,OU=BusMgmt,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com

• CN=Frank,OU=BusMgmt,OU=Business Units,DC=europe,DC=concorp,DC=contoso,DC=com

• CN=Kevin,OU=IT,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com

• CN=Anna,OU=IT,OU=Business Units,DC=europe,DC=concorp,DC=contoso,DC=com

Note that user accounts for Business Unit Admins of the BusMgmt and IT business units are created in different domains in order to spread them across all domains that have the same business unit.

Adding Business Unit Admins User Accounts to Administrative Security Groups

To actually delegate the Business Unit Admins role and to complete the data management handoff, the Domain Configuration Operators add the users whose accounts they have created to the security groups that represent the respective Business Unit Admins roles.

Table 32 shows the resulting Business Unit Admins group memberships. At this point, the data management handoff is complete. All Business Unit Admins have full control over their business unit OUs.

Table 32   Business Unit Admin Role Security Groups and Added Members