Chapter 3: Delegating Service Management

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Service management involves managing all aspects of the Active Directory directory service that are required to provide security and reliability in the delivery of the directory service. Overall responsibility for service management is entrusted to service owners who are responsible for the planning and long-term maintenance of the Active Directory infrastructure, ensuring that the directory continues to function, and ensuring that goals established in service-level agreements are met. To achieve these goals, service owners create an administrative delegation model to distribute the various administrative responsibilities among service administrators. Service administrators thus represent the operational arm of the service owners.

Service owners choose a small and select group of highly trusted and skilled administrators from among their service administrators and confer upon this small set of administrators the highest level of privilege by designating them as Enterprise Administrators of the forest. While service owners are responsible for the creation of a delegation model for service management, service administrators assist them during the creation of the model by providing an operational perspective, including the capabilities and the limitations of the system. Upon the completion of the creation of a well-designed delegation model for service management, Enterprise Administrators implement the delegation model to enable the service management administrators team to carry out its assigned responsibilities.

This chapter provides guidance on how to use delegation to provide administrative coverage for all aspects of service management in an Active Directory environment. The chapter presents an overview of the various categories that comprise service management and provides recommendations for how to efficiently delegate all aspects of service management in a security conscious manner.

To help service owners to create the service delegation model, and to help high-level administrators to implement the model, this chapter provides the following information:

  • Overview of the categories of service tasks that require management.

  • Overview of the default service administration groups and their levels of privilege.

  • Recommendations for how to delegate all service management responsibilities in an efficient and security-conscious manner by using service administration roles.

  • Best-practices for implementing the service delegation model by creating service administration groups for each administrative role, assigning appropriate permissions, and populating the groups.