Delegation of Control, Frequently
Delegation of control and management of PC's can be dealt
with differently in each department depending upon requirements. The needs and wants
vary by group but are ultimately defined by departmental administrators. It
becomes a fine balance of assigning enough control so as to expedite requests
without compromising staff's time away from other tasks. A balance comparing
the training and constant practice required to accomplish tasks perhaps easier
done by others.
Several documents have already been created defining the
varying degrees of control available and what ones options are. The primary
guiding document is called: Active
Directory Management for the UWAD Forest. You are strongly encouraged to read it. Several options are discussed including
joining the UWAD forest as a domain (the Nexus domain is a part of the UWAD
forest) and joining the Nexus domain as an OU. This document focuses on
frequently asked questions concerning the above mentioned balance.
The options for managing a group of W2K workstations, in
order of amount of work (from least to most), are as follows:
- Join an existing domain as an Organisational Unit (OU).
- This offloads the concerns of most of the security and
administrative aspects of domain management allowing you to focus on
managing your own PC's.
- Join the existing UWAD forest as your own domain in order
to take advantage of managed (forest) servers providing you with an extra
level of protection.
- This provides you with complete control over your own
domain without any interference but requires similar protection and
management mechanisms be put in place as already exist elsewhere.
- Define a new domain/forest as a way of grouping together
PC's for management.
- This requires a minimum of two Domain Controllers, more
if the forest is to be properly fail-safed.
- Leave all workstations as stand-a-lone.
- This is the least desirable as most existing management
tools are unusable.
If you join an existing domain as an OU, as much or as
little administrative control over your workstations can be defined as you
wish, with very few exceptions. IST has already joined another domain into the
UWAD forest. In addition countless tests have been performed as OU
administrators in our duplicate TESTADS domain where various levels of control
have been granted to departmental and faculty administrators. Most departments
prefer to have IST join their computers to the domain and install W2K on them
with all required applications. Administrative control over individual
computers need not be compromised in order for this to happen. We do require
that IST continue to share administrative control over PC's in our domain
however so as to be able to apply patches and provide any other services
requested by the department.
If you join the Nexus domain as an OU the following has been
- Three domain controllers (servers) exist to keep the
domain running smoothly and offer OU management capabilities.
- An additional set of two domain controllers exist to host
the UWAD forest in which the Nexus domain exists. The main reasons for this
are to isolate the Schema (it defines a list of attributes for all domain
objects) and act as a parent for the Nexus domain, so as to better protect
our Active Directory.
- Print Servers have been provided to allow your clients
access to departmental printers (you could add your own).
- A pair of Netapps File Servers have been provided to offer
- Domain-wide Security Policies have been created based on
internal and external recommendations.
- Computers can be pre-staged to join the Nexus domain at the
same time the IP address is requested there-by assuring desired setup and
control when the workstation is finished being built.
- An image containing not only the W2K OS but a set of
primary applications is at your disposal. Your own applications can be
added afterwards or as part of a new image. Much time has been spent
analysing how clients wanted to have their operating system and
applications set up.
- Primary applications have been applied in such a way so as
to repair themselves. If a client inadvertently uninstalls a key component
of one of these applications, it self-repairs from a central location the
next time the workstation in rebooted, minimizing downtime.
- Nexus is now the central campus authentication domain for
UWDIR so everyone already has a userid there. What resources are to be
assigned to your clients is up to you.
- Roaming Profiles can be offered to all who wish to use
them. This provides a server-side backed up copy of your local personal
profile so any changes you make to your desktop (for instance) can follow
you from PC to PC. Also, if your PC has to be rebuilt, your roaming
profile saves you customizing your replacement again.
- Folder Redirection has been provided to off-load what used
to be files local to the PC, to our file servers. Again, this becomes
important if a PC hard disk breaks. Files on networked servers are
automatically backed up for you. (This also provides additional security
if the PC were to be stolen.)
- We have an Update server defined that can deliver only
UW-approved operating system patches and updates. Providing an extra
buffer between the full list of Microsoft updates and your workstations,
without compromising security, has proven to be indispensable. This also
provides us with a mechanism to quickly deliver critical patches if
- Symantec Antivirus (or Norton Antivirus, as it used to be
called) updates are provided from two central Antivirus servers. Again,
these give us the ability to quickly deliver patches to protect you in
case of virus attacks.
- .and lastly, having commonality with regards to all of the
above services with over 1000 other clients at UW allows the IST support
staff to better and more quickly react to client needs and concerns,
saving IST and the client valuable time.
By joining Nexus as an OU instead of creating your own domain
you will not be granted domain administrator privileges. Very few departmental
administrative functions require this. Since administrative control is still be
granted to the workstations themselves and since you can join your own
computers to the domain, if you wish (and take them out) very little control is
lost. The exceptions are as follows:
- You will need to get a domain admin to join a member server to
the domain. These might include your own printer or application servers. Once
the act of joining the server to the domain has been accomplished there is no
requirement for a domain admin account as you will be granted full
administrative control over all functions of your server.
- As stated in the Active
Directory Management for the UWAD Forest document all userids will remain
under IST control within Nexus. The reason for this is to minimize UWDIR
conflicts. This is not to say that local OU generic accounts can not be
created, if required.
- As stated above the Active Directory Schema exists outside of the
Nexus domain. Not only can OU administrators not change it but Nexus domain
administrators can not either. (You have to be a forest administrator to change
- A few security policies have been defined for all Nexus clients' protection. Policies such as password length and complexity rules. These can
not be over-ridden by OU administrators. A full list of all applied policies,
and what they are applied to exists at: http://ist.uwaterloo.ca/w2k/projects/w2k/GroupPolicies.xls
- Lastly, and this shouldn't hurt too much, you will not be able to
manage any resources outside your OU. This means to can not log on or manage
the Domain Controllers, allow a new domain into the forest or gain any control
over any other OU within Nexus. After all, you wouldn't want other OU
administrators to manage your resources either.
In other words, you can be granted all the control you need
over your own resources without the headaches of doing more than you have to.
You can be assigned full control over any resource within
your OU. This includes computers, printers, file shares, security groups,
anything but userids (as defined above). Control can be as all-inclusive or as
restrictive as requested or required. Control must be requested by a
departmental administrator and will be assigned to as few individuals as
possible. The actual procedure of defining control will be to an administrative
security group defined for your OU. This way if someone needs to be added, or
removed, this can be easily accomplished for all defined resources. Please note
that with control comes responsibility and this should not be taken lightly.
Alternatively, if you decide to host your own domain within
the UWAD forest you will have full control, and responsibility, of everything
in your domain. The con is that in this case very few of the above-mentioned
IST-provided services will be at your disposal.
This document was created
by: Manfred Grisebach, MC1040, x3449
Last modified: January 6th, 2003