活动目录设计(十)
A.7.6.1 Roles and Responsibilities
The purpose of this section is to identify the different target management groups (the roles) and their operations (the activities).
The roles and responsibilities model is quite different between the XXX Asia countries, but a few threads are common.
Most of the countries have a local management team which is responsible for managing a single store to a large area covering several stores.
Most the countries have central teams who support all the users at the country level. These central teams are Helpdesk, Local support and Administrators for example.
Design Decision
Asia Windows management relies on standardized Roles in order to provide a common way to implement Active Directory delegation management.
A.7.7.1 Delegation Management Principles
In Active Directory, Delegation Management is achieved via Organizational Units where the objects are stored.
The OU hierarchy reflects how Active Directory objects are managed. The OU hierarchy reflects an administrative hierarchy not the functional or geographic hierarchy. Users are not supposed to navigate the OU structure and should never see it.
OU Concepts
An Organizational Unit is an Active Directory container used within a domain.
- An OU cannot be shared between two domains
- An object can only belong to a single OU
OUs are logical containers into which you place users, groups, computers, and other Organizational Units.
- An OU can only contain objects from its domain
- An OU is not a group. It cannot be used to apply permissions
An OU hierarchy can organized according to two approaches:
1. per object type / per site
2. per site / per object type
Scenario 1: OU hierarchy organized per object type / per site
OU are organized first per object type (users, groups, workstations, servers) then per site. GPOs can be inherited and therefore the GPOs associated to parent OUs will be applied to all its children objects. As an example, when you apply a GPO to the Users OU, it is applied to all users residing in the site OUs below.
- Permissions for delegation must be repeatedly assigned on all location OUs
- Not easy if required ACL are complex and non standard
- Objects for the same Site Operators are spread over multiple OU hierarchy (requiring specific MMC taskpads for ease of management)
Scenario 2: OU hierarchy organized per site / per object type
OUs are first organized per location then per object type. Delegation per site is configured at the location OU level and inherited by sub-OUs
- It is more adapted for organizations with onsite IT operators
- Management Delegation is defined once per location
- Objects per site are grouped under a single OU and not spread over multiple OUs
- It is more resilient to organizational change
- A GPO applied to a specific type of objects must be linked several times to sub-OUs. Even though, the GPO linking operation is not a very complex operation
Design Decision
Scenario 2 is recommended as Delegation management is more easily configured.
A.7.7.2 OU Hierarchy Template
The OU Hierarchy template is driven by these considerations:
Entity (Head Office, Stores and other remote locations)
- The Entity's resources, users and groups are organized per physical location. Doing so, it is possible to delegate permissions to local IT operators.
- Workstations are split between Desktops or Laptops in order to easily apply different GPO settings depending on the computer type. Users and Groups are stored in different OU for readability.
- The Admins accounts and service accounts are stored in two specific OUs.
- The different types of groups Universal, Global and Domain Local are placed in different OUs.
- The groups dedicated to administration are stored in a specific OU in order to separate them from the functional groups.
The diagram below shows the adopted OU hierarchy and the type objects stored in the OUs.
For a store or a remote location, the OU hierarchy is a bit simplified as no Universal Groups should be locally created.
