Read an Excerpt

As stated earlier, OUs are containers within a domain that can nest within each other to develop a hierarchy. They are used for group policy and for the delegation of administrative authority. One thing you must understand about an OU is that it is not a security principal. What this means is that you cannot apply access rights to the OU so that the users, groups, resources, other containers, and objects would inherit them. An OU is merely a container with no other capabilities. However, if you use OUs for group policy, then the group policies will flow down the tree structure that the OUs build. In addition, you can use the OUs to decentralize your administration without requiring a separate domain. An Active Directory user does not always have to navigate the OU hierarchy to locate services and information, so the optimal structure for OUs should reflect the boundaries needed for applying group policy or for delegating authority. It is a good rule of thumb to keep the OU names short enough to remember.

OU Objects in Active Directory

OUs are container objects within Active Directory. When you look at OUs in the Active Directory Users and Computers MMC, you can look at their properties, which include the Group Policies applied to them. OUs contain other objects, such as user account objects or other OUs. Policies can be applied to OUs, and those policies can be inherited by sub-OUs. Using the OU hierarchy, you can produce a granular system for managing the desktop environment, security, and a user’s network experience.


Group Policy and OUs

Group policy settings are applied to users and computers in order to manage the desktop configuration. A specific policy is applied to a site, domain, and/or an OU as needed. The group policy can be filtered to control access; otherwise it is inherited by child containers. Group policies will affect users’ login time when they are in a nested OU that has multiple group policies. Longer names for OUs will also affect processing at login time. See Chapter 13, “Intellimirror,” for information on how to apply group policies.


Delegating Administration

The legacy Windows NT delegation of administration did not offer much in the way of flexibility:

• Administrators were forced to use built-in local groups on the servers for administrative authority.
• They had to adjust predefined rights if they were not sufficient or if they were too lax.
• Their administrative design typically resulted in oodles of Domain Administrators so that everyone could access what they needed to.
• Administrators created resource domains just to delegate administration, which then resulted in too many domains and complex trust relationships.

  Delegating administration is more powerful and flexible in Windows 2000 than it was in earlier versions of NT. Using the flexibility of Active Directory, delegation of administrative responsibility can be applied at the OU level. The Administrator can assign administrative rights for each object ’s attribute, and whether that control can be inherited. The result is that the appropriate Administrators are granted the appropriate control of their assigned users and published resources. If an Administrator delegates Full Control to another user, then that user is able to delegate administrative authority to others. Otherwise, the delegation of administration is completed by selecting the authority level over each object class and the ability to modify specific attributes. The process is fairly simple:
  

  • 1. Create a group.
  • 2. Grant the group specific access.
  • 3. Populate the group with users.

  Windows 2000 even supplies a Delegation of Control Wizard in the Active Directory Users and Computers Microsoft Management Console (MMC) utility (which can be found in the Administrative Tools folder under Programs in the Start menu). This makes the process even easier to execute. The following steps must be taken to use the Delegation of Control Wizard (see Figure 5.10) in order to delegate Full Control to another Administrator for a single OU (the OU is also called a folder in the wizard).

  • 1. Click Start | Programs | Administrative Tools on any DC.
  • 2. Select Active Directory Users and Computers.
  • 3. After the window opens, in the left pane of the window, navigate to the OU to which you will be delegating administrative rights.
  • 4. Right-click on the OU and select Delegate Control from the pop-up menu.
  • 5. The wizard box will start with a Welcome dialog. Click Next.
  • 6. The next screen will show the path of the folder. Click Next.
  • 7. The Group or User Selection screen will appear. Click Add.
  • 8. Select the group to which you will be giving administrative access.
  • 9. The group’s name will appear in the window. Verify it is correct and click Next.
  • 10. In the Predefined Delegations window, select Do customized delegation and click Next. Figure 5.10 Customized Delegation
  • 11. In the Active Directory object, type window. You can select either the entire folder or a custom list of objects that are in the folder. Select Entire folder and click Next.
  • 12. In the Permissions box, you can select a variety of permissions (see Figure 5.11). To delegate full administrative rights, you will need to select Full Control. Then click Next. Figure 5.11 Reset Password Is an Option in the Permissions Box for User Objects
  • 13. The final dialog will show you a summary of the options you have selected. Click Finish to enable delegation. If you click Back, you can change your options. If you click Cancel, no changes will be applied. (See Figure 5.12.) Figure 5.12 Summary Dialog

  After completing this exercise, there is a way to verify that the changes are applied. In the Active Directory Users and Computers window, select the View menu and then the Advanced Features option. You can then right-click the OU for which you delegated control, then select Properties. On the Security page, click Advanced. The Permissions tab will show you the additional permissions created for the group. If you double-click the group, you will see that it has been granted full rights to all of that OU and any OUs within it.

  Another way to verify that the group has been granted access correctly is to log on as a user account that is a member of that group. Then start the Active Directory Users and Computers Wizard and try creating a new group.

  There are some challenges with delegating administration. For many with experience in other directory services, the most difficult problem with delegating administration for a container is with somehow losing the delegated Administrator’s password—whether the Administrator has forgotten it, or left the company, or some other mishap has occurred. For this reason, it is a good practice always to have a master administrative account that is granted access to every container, even if it is intended to be completely cut off. The account should be set aside in a secure place for disaster recovery purposes only.
  Configuring and Implementing
  Controlling Who Can Reset Passwords
  

  One of the most common problems users run into is that they forget their password. Usually this happens the day after they were required to change their password. Only certain Administrators can access that type of user control in legacy environments, so this capability typically is retained by a high-level IT group. In a large organization, it can become a huge headache!

  Active Directory can be an aspirin for this particular headache, if an organization has a group such as a Help Desk that is connected to the network. In this case, Active Directory allows the delegation of only the password resetting right. The Help Desk would have no other rights to the directory and could handle the password resets immediately.

  To delegate this specific right, create a group for the Help Desk. Then follow the Delegation of Control process up to the Predefined Delegations window in step 10. Here you would select the Delegate one or more of the predefined delegations, and from the check-box list, select only Reset passwords on users accounts. It is a simple matter of finishing the wizard after that.