Autonomy vs. Isolation

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can design your Active Directory logical structure to achieve either of the following:

  • Autonomy.Autonomy involves independent but not exclusive control of a resource. When you achieve autonomy, administrators have the authority to manage resources independently; however, administrators with greater authority exist who also have control over those resources and can take control away if necessary. You can design your Active Directory logical structure to achieve the following types of autonomy:

    • Service autonomy. This type of autonomy involves control over all or part of service management.

    • Data autonomy. This type of autonomy involves control over all or part of the data stored in the directory or on member computers joined to the directory.

  • Isolation. Isolation involves independent and exclusive control of a resource. When you achieve isolation, administrators have the authority to manage a resource independently and no other administrators can take control of the resource away. You can design your Active Directory logical structure to achieve the following types of isolation:

    • Service isolation. This type of isolation prevents administrators other than those specifically designated to control service management from controlling or interfering with service management.

    • Data isolation. This type of isolation prevents administrators other than those specifically designated to control or view data from controlling or viewing a subset of data in the directory or on member computers joined to the directory.

Administrators who require only autonomy accept that other administrators who have equal or greater administrative authority have equal or greater control over service or data management. Administrators who require isolation have exclusive control over service or data management. Creating a design to achieve autonomy is generally less expensive than creating a design to achieve isolation.

In Active Directory, administrators can delegate both service administration and data administration in order to achieve either autonomy or isolation between organizations. The combination of service management, data management, autonomy, and isolation requirements of an organization impact the Active Directory containers that are used to delegate administration.