Step 5 – Implement the Contoso Data Management Administrative Delegation Model
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
At this point, one OU exists for every business unit and the Business Unit Admins role for each Business Unit has been delegated Full Control over its respective business unit OU.
Each business unit administrator implements the model for the respective OU according to the following criteria:
Stakeholders: Business Unit Admins from all Business Units
Objective: Implement each role instance according to the delegation model design document
Assumption: The three domains are installed and functioning
Approach: Implement the roles defined in the data management delegation model by performing the following steps:
Create the OU structure for the business unit
Implement role instances
Assign users to roles
Implementing the Data Delegation Model for the RandD Business Unit
The RandD business unit administrator is responsible for creating the business unit OU structure and implementing the data management delegation model for this business unit.
Creating the OU Structure for the RandD Business Unit
To create the RandD OU structure, the RandD business unit administrator creates the following OU objects:
OU=User Accounts,OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Workstations,OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Resources,OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Research,OU=User Accounts,OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Development,OU=User Accounts,OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Desktops,OU=Workstations,OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Laptops,OU=Workstations,OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=File Servers,OU=Resources,OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Web Servers,OU=Resources,OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Database Servers,OU=Resources,OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Application Servers,OU=Resources,OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
Implementing RandD Role Instances
To implement the RandD business administrative roles, the RandD business unit administrator creates security groups in the Delegation OU to represent the role instances for the business unit.
In OU=Delegation,OU=RandD,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com, the following groups are created:
RandD Account Admins
RandD Workstation Admins
RandD Resource Admins
The RandD the business unit administrator grants permissions to security groups as follows:
RandD Account Admins: Full Control on the Accounts OU
RandD Workstation Admins: Full Control on the Workstations OU
RandD Resource Admins: Full Control on the Resources OU
Additionally, the Restricted Groups feature of Group Policy is used to add the security groups representing the Workstation Admins and Resource Admins roles to the local Administrators groups on member servers.
Assigning RandD Administrative Users to Roles
The RandD business unit administrator adds the accounts of the administrative personnel listed for each role in the delegation model templates to the respective security groups that represent the role instances.
Implementing the Data Delegation Model for the Production Business Unit
The Production business unit administrator is responsible for creating the business unit OU structure and implementing the data management delegation model for this business unit.
Creating the OU Structure for the Production Business Unit:
To create the Production OU structure, the Production business unit administrator creates the following OU objects:
OU=User Accounts,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Workstations,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Desktops,OU=Workstations,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Laptops,OU=Workstations,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Production Application 1,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Production Application 2,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Production Application 3,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Shared Resources,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=File Servers,OU=Production Application 1,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Web Servers,OU=Production Application 1,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Database Servers,OU=Production Application 1,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Application Servers,OU=Production Application 1,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=File Servers,OU=Production Application 2,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Web Servers,OU=Production Application 2,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Database Servers,OU=Production Application 2,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Application Servers,OU=Production Application 2,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=File Servers,OU=Production Application 3,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Web Servers,OU=Production Application 3,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Database Servers,OU=Production Application 3,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Application Servers,OU=Production Application 3,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=File Servers,OU=Shared Resources,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Web Servers,OU= Shared Resources,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Database Servers,OU= Shared Resources,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
OU=Application Servers,OU= Shared Resources,OU=Resources,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com
Implementing Production Role Instances
To implement the Production business unit administrative roles, the Production business unit administrator creates security groups in the Delegation OU to represent role instances for the business unit.
In OU=Delegation,OU=Production,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com, the following groups are created:
Production Account Admins
Production Location 1 Workstation Admins
Production Location 2 Workstation Admins
Production Application 1 Resource Admins
Production Application 2 Resource Admins
Production Application 3 Resource Admins
Production Common Resources Resource Admins
The Production business unit administrator grants permissions to security groups as follows:
Production Account Admin: Full Control on the Accounts OU
Production Location 1 Workstation Admins: Full Control on the Location 1 OU within the Workstations OU
Production Location 2 Workstation Admins: Full Control on the Location 2 OU within the Workstations OU
Production Application 1 Resource Admins: Full Control on the Application 1 OU within the Resources OU
Production Application 2 Resource Admins: Full Control on the Application 2 OU within the Resources OU
Production Application 3 Resource Admins: Full Control on the Application 3 OU within the Resources OU
Production Common Resources Resource Admins: Full Control on the Common Resources OU within the Resources OU
Additionally, the Restricted Groups feature of Group Policy is used to add the security groups representing Workstation Admins and Resource Admins roles to the local Administrators groups on member servers.
Assigning Production Administrative Users to Roles
The Production business unit administrator adds the accounts of the administrative personnel listed for each role in the model documentation (templates) to the respective security groups that represent the role instances.
Implementing the Data Delegation Model for the Bus Mgmt Business Unit
The Bus Mgmt business unit administrator is responsible for creating the business unit OU structure and implementing the data management delegation model for this business unit.
Creating the OU structure for the Bus Mgmt Business Unit
To create the Bus Mgmt OU structure, the Bus Mgmt business unit administrator creates the OU objects shown in Figures 17 and 18 earlier in this document.
Implementing Bus Mgmt Role Instances
To implement the Bus Mgmt business unit administrative roles, the Bus Mgmt business unit administrator creates security groups in the Delegation OU of the respective domain to represent the required role instances.
In OU=Delegation,OU=Bus Mgmt,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com, the following groups are created:
BusMgmt NOAM Account Admins
BusMgmt Chicago Workstation Admins
BusMgmt New York Workstation Admins
BusMgmt Application Admins
BusMgmt Chicago Resource Admins
BusMgmt New York Resource Admins
In OU=Delegation,OU=Bus Mgmt,OU=Business Units,DC=europe,DC=concorp,DC=contoso,DC=com, the following groups are created:
BusMgmt Europe Account Admins
BusMgmt London Workstation Admins
BusMgmt Paris Workstation Admins
BusMgmt Rome Workstation Admins
BusMgmt London Resource Admins
BusMgmt Paris Resource Admins
BusMgmt Rome Resource Admins
The Bus Mgmt business unit administrator grants permissions to the corresponding security groups as shown in Table 84:
Table 84 Permissions for Security Groups Representing Bus Mgt Business Unit Role Instances
| Security Group | Permissions | OU | Domain |
|---|---|---|---|
BusMgmt NOAM Account Admins |
Full Control |
Accounts OU |
noam.concorp.contoso.com |
BusMgmt Europe Account Admins |
Full Control |
Accounts OU |
europe.concorp.contoso.com |
BusMgmt Chicago Workstation Admins |
Full Control |
Chicago OU within the Workstations OU |
noam.concorp.contoso.com |
BusMgmt London Workstation Admins |
Full Control |
London OU within the Workstations OU |
noam.concorp.contoso.com |
BusMgmt New York Workstation Admins |
Full Control |
New York OU within the Workstations OU |
noam.concorp.contoso.com |
BusMgmt Paris Workstation Admins |
Full Control |
Paris OU within the Workstations OU |
europe.concorp.contoso.com |
BusMgmt Rome Workstation Admins |
Full Control |
Rome OU within the Workstations OU |
europe.concorp.contoso.com |
BusMgmt Application Admins |
Full Control |
Applications OU within the Resources OU |
noam.concorp.contoso.com |
BusMgmt Chicago Resource Admins |
Full Control |
Chicago OU within the Resources OU |
noam.concorp.contoso.com |
BusMgmt London Resource Admins |
Full Control |
London OU within the Resources OU |
europe.concorp.contoso.com |
BusMgmt New York Resource Admins |
Full Control |
New York OU within the Resources |
noam.concorp.contoso.com |
BusMgmt Paris Resource Admins |
Full Control |
Paris OU within the Resources OU |
europe.concorp.contoso.com |
BusMgmt Rome Resource Admins |
Full Control |
Rome OU within the Resources OU |
europe.concorp.contoso.com |
Additionally, the Restricted Groups feature of Group Policy is used to add the security groups representing Workstation Admins and Resource Admins roles to the local Administrators groups on member servers.
Assigning Bus Mgmt Administrative Users to Roles
The Bus Mgmt business unit administrator adds the accounts of the administrative personnel listed for each role in the delegation model templates to the respective security groups that represent the role instances.
Implementing the Data Delegation Model for the IT Business Unit
The IT business unit administrator is responsible for creating the business unit OU structure and implementing the data management delegation model for this business unit.
Creating the OU structure for the IT Business Unit
To create the Bus Mgmt OU structure, the IT business unit administrator creates the OU objects shown in Figures 17 and 18 earlier in this document.
Implementing IT Role Instances
To implement the IT business unit administrative roles, the IT business unit administrator creates security groups in the Delegation OU of each domain to represent the required role instances:
In OU=Delegation,OU=IT,OU=Business Units,DC=noam,DC=concorp,DC=contoso,DC=com, the following groups are created:
IT NOAM Account Admins
IT Chicago Workstation Admins
IT New York Workstation Admins
IT Application Admins
IT Chicago Resource Admins
IT New York Resource Admins
In OU=Delegation,OU=IT,OU=Business Units,DC=europe,DC=concorp,DC=contoso,DC=com, the following groups are created:
IT Europe Account Admins
IT London Workstation Admins
IT Paris Workstation Admins
IT Rome Workstation Admins
IT London Resource Admins
IT Paris Resource Admins
IT Rome Resource Admins
The IT business unit administrator grants permissions to the corresponding security groups as shown in Table 85:
Table 85 Permissions for Security Groups Representing IT Business Unit Role Instances
| Security Group | Permissions | OU | Domain |
|---|---|---|---|
IT NOAM Account Admins |
Full Control |
Accounts OU |
noam.concorp.contoso.com |
IT Europe Account Admins |
Full Control |
Accounts OU |
europe.concorp.contoso.com |
IT Chicago Workstation Admins |
Full Control |
Chicago OU within the Workstations OU |
noam.concorp.contoso.com |
IT London Workstation Admins |
Full Control |
London OU within the Workstations OU |
europe.concorp.contoso.com |
IT New York Workstation Admins |
Full Control |
New York OU within the Workstations OU |
noam.concorp.contoso.com |
IT Paris Workstation Admins |
Full Control |
Paris OU within the Workstations OU |
europe.concorp.contoso.com |
IT Rome Workstation Admins |
Full Control |
Rome OU within the Workstations OU |
europe.concorp.contoso.com |
IT Application Admins |
Full Control |
Applications OU within the Resources OU |
noam.concorp.contoso.com |
IT Chicago Resource Admins |
Full Control |
Chicago OU within the Resources OU |
noam.concorp.contoso.com |
IT London Resource Admins |
Full Control |
London OU within the Resources OU |
europe.concorp.contoso.com |
IT New York Resource Admins |
Full Control |
New York OU within the Resources OU |
noam.concorp.contoso.com |
IT Paris Resource Admins |
Full Control |
Paris OU within the Resources OU |
europe.concorp.contoso.com |
IT Rome Resource Admins |
Full Control |
Rome OU within the Resources OU |
europe.concorp.contoso.com |
Additionally, the Restricted Groups feature of Group Policy is used to add the security groups representing the Workstation Admins and Resource Admins roles to the local Administrators groups on member servers.
Assigning IT Administrative Users to Roles
The IT BU Admin adds the accounts of the administrative personnel listed for each role in the delegation model templates to the respective security groups that represent the role instances.
This completes Contoso’s implementation of the delegation model. From this point, Contoso will follow the recommendations for maintaining the delegation model.