Delegation at Work

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

A brief example at delegation at work will help you better understand the value and the benefits of delegation that organizations can use to enhance security, decrease TCO and make Active Directory and IT resource management more tractable and efficient.

Contoso Pharmaceuticals, a fictitious company, has recently deployed Active Directory. Contoso Pharmaceuticals is a large organization that has its headquarters in Chicago, Illinois and has operations in five other locations in North America and Europe. The Active Directory infrastructure consists of a single forest, three domains, and six sites. The company has about 16,000 users, 20,000 end-user workstations and about 3000 servers spread across five physical locations. Contoso has four business units that have a presence in each of the five physical locations. These business units include:

  • Research and Development

  • Production

  • Business Management

  • IT

With Active Directory delegation, Contoso was able to delegate responsibility in the following areas:

  • Workstation management. Contoso seamlessly and easily delegated all aspects of workstation management to local administrative groups, one for each physical location.

  • Account management. Contoso delegated all aspects of account management to the Account Admins of each business unit regardless of the physical location of the managed users, while centrally retaining help desk operations.

  • Security-sensitive operations. Contoso was able to grant Corporate Security personnel sufficient authority to carry out security-sensitive operations on every user account in the company, such as allowing Corporate Security personnel to disable or lock out any user account in the entire company at the click of a button.

  • Resource management. Contoso delegated all aspects of resource management to the appropriate resource owners, enabling the resource owners to manage and retain control over their resources. This included the following:

    • A human resources portal on the intranet hosted on a small cluster of three high-performance servers running Internet Information Services (IIS). Contoso was able to delegate full control over the servers to the administrators of this application and grant them the ability to authorize access to their portal.

    • Multiple in-house applications hosted on a set of high-performance servers, with the administration of the servers entrusted to one set of administrators in the data center and the administration of each application entrusted to a separate set of administrators. Using delegation, Contoso could easily delegate to the administrative group responsible for managing the servers the ability to manage the servers while delegating to the administrative group responsible for managing each application the ability to manage their applications.

  • Self-service user accounts. Contoso enabled self-service on user accounts, and was able to finely control specific information that users could change themselves. With delegation, Contoso could allow their users to modify their phone numbers and personal information while retaining control over the ability to modify sensitive data like the password-not-required flags on user objects. Contoso was also able to grant other stakeholders like Human Resources managers the ability to modify a user’s manager and office location information.

  • Active Directory–enabled applications. Contoso was able to delegate all aspects of Microsoft Exchange mailbox administration to its Exchange administrators, which increased productivity while achieving separation of duties. In addition, Contoso had an in-house Line of Business (LOB) application that stored data in Active Directory. Contoso administrators were able to delegate complete control over the LOB application’s data to the application’s administrators, including granting the ability to control access to data by using account and resource groups.

  • Service management. Contoso was able to distribute Active Directory service management amongst specific administrative groups based on the principle of least privilege. This increased accountability achieved a clear separation of responsibility, and decreased the number of highly-trusted administrators that Contoso needed to hire and maintain.

As demonstrated by the Contoso example, organizations can realize multiple benefits from the delegation capabilities of Active Directory. These benefits include distributing administrative responsibilities on the basis of least privilege, increasing administrative efficiency by easily and conveniently assigning the responsibilities for managing directory content and the directory service itself, and reducing administrative costs by facilitating shared administrative responsibility.