活动目录设计（11）

A.7.8     Delegation Management

A.7.8.1    Functional Groups

The implementation of Delegation Management in Asia follows these principles:

• The Forest administration is based on built-in groups in the Forest Root Domain;

• The Child Domain administration is based on built-in groups in the Domain;

• When a new store will be opened and will join the infrastructure. Il will be represented in the OU hierarchy and it will be granted pre-defined Admin Roles. This will give the ability to the Country Central Administrators to populate the roles with the relevant local administrators, automatically granting them the needed permissions to accomplish their tasks.

 

Based on XXX needs and constraints, the Functional Groups for Delegation Management Model are:

• Server Admins: Server Managers are responsible for the administration of the member servers in the Domain. Server Managers may be subdivided into server type Roles (Web, File/Print, Application) by extending the template.

• Account Operators: Account Operators administer user accounts and groups (create, delete, change membership).

• Helpdesk: The Helpdesk role is capable of performing some basic operations on users account (unlock a user account, reset password, change group membership). However, it does not have the right to create new user accounts or groups. It can remotely assist the users but does not have local administrator right on the workstations.

• Workstation Admins: Workstation Admins have administrator rights on all the desktops and laptops. They deploy workstations in Head Office and remote sites. On Windows XP, they can remotely control the computer or remotely assist the user.

• Local Admins: Local Admins are field personnel in charge of the administration of a remote site (store, warehouse) or a set of remote sites. They have full control permissions on user and computer objects in the OU tree corresponding to the physical location(s) they manage.

An overview of the enabled operations per Management Role is provided in the tables below.

Legend:  an “X” indicates Active Directory default permission.

              a tick “ü” indicates XXX specific implementation.

 

Forest and Domain Administration

	Enterprise Admins	Domain Admins	Schema Admins	Local Admins
Active Directory Installation
Install first Root Domain Controller	X
Install additional Domain Controller in the Domain	X
Create Child Domain	X
Configure Forest time source	X
Install additional Domain Controller in a child domain	X	X
Uninstall a Domain Controller (except the last one)	X	X
Implement a Domain trust relationship	X	X
Modify Active Directory Schema			X
FSMO Operations
Seize Forest FSMO role	X
Seize Domain FSMO role	X	X
Active Directory Site Topology
Create/Delete an Active directory site	X
Create/Delete a subnet	X
Associate a subnet with a site	X
Create/Delete an Active Directory Site link	X
Configure a site link	X
Manage Global Catalog server	X	X
Authorize a DCHP server	X			ü
DNS
Configure DNS in the Root Domain	X
Configure DNS in a Child Domain	X	X
Group Policy
Configure GPO in the Root Domain	X
Configure GPO in a Child Domain	X	X
Active Directory Backup / Restore
Root Domain Controllers Backup/Restore	X
Child Domain Controllers Backup/Restore		X
Domain Disaster Recovery	X

 

	Server Admins (1)	Account Operators	Helpdesk	Workstation Admins	Local Admins (2)
User Operations
Create/Delete a user account		ü			ü
Disable/Enable a user account		ü			ü
Rename an user account		ü			ü
Unlock a user account		ü	ü		ü
Reset user password		ü	ü		ü
Group Operations
Create/Delete a group		ü			ü
Rename a group		ü			ü
Modify group membership		ü	ü		ü
Computer Operations
Create/Delete a computer account	ü			ü	ü
Disable/Enable a computer account	ü			ü	ü
Join a computer to the domain	ü			ü	ü
Local Administrator right on the machine	ü			ü	ü