AD Delegation Model – Sites Area or Tier2

We call SITE area to the “Sites root OU” where all the different sites or areas or departments are organized within. This area is where all the business employees will reside and organize. In other words, all user objects representing the employee identity will be located within this container, among the assigned computers, business groups and any AD object required by the business unit to operate. This area is to be considered as Tier2.

It is completely forbidden to have any kind of administrative account or group within this OU subtree. Any account or group that must get any delegated right in order to administer or maintain this area must not reside here. Please refer to Administration Area instead.

The root OU “SITES” (or any other given name) will be implemented, administered and maintained by the forest owner. Any major area, as the ones being described here, will follow the same procedure. The root SITES OU is a standard OU without any special ACL change (inheritance enabled having all default permissions), except that the Infrastructure Administrators have the right to Create/Delete OU objects, and the delegated Domain Administrators can only change the OUs, but not create/delete them.

Only 2 Group Policy Objects (monolithic GPO) are planned for this root level, one for general User settings and the second one for general computer settings. No other GPO is intended in this level, unless there is a clear reason to implement a specific-purpose GPO, which has been previously analyzed, engineered, documented and approved by the Infrastructure Team in charge of the domain.

The following OU levels will define each of the individual sites. The second OU level will be the name of the site/department, always following the company naming standards.

Delegation Model - SitesArea or Tier2

The 2nd OU level will not have any specific ACL defined, only the inherited ones. No GPO will exist at this level, only the parent existing ones.

The 3rd OU level (and last one) will be organized according to the object classes which will host. In other words, it will be a defined Users container, and ONLY user objects will get the delegated right to create User Object Classes within it.

There is one exception within this container: Global. This is the default container which will have a kind of “domain wide” objects without privileges. As already explained, each site has its own container for different object types; but what will happen when you do need a domain wide group, which is not directly linked or managed by any specific site? Well, creating such groups within Admin Area is not the solution. We do need an additional “generic” container, and of course the parent OU is the Sites Area.

 

 

 

Social network sharing
  • 6
  •  
  •  
  •  
  • 2
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •