Skip to the content of the web site.

Nexus: Delegation of Control, FAQ

Delegation of Control, Frequently Asked Questions

Delegation of control and management of PC's can be dealt with differently in each department depending upon requirements. The needs and wants vary by group but are ultimately defined by departmental administrators. It becomes a fine balance of assigning enough control so as to expedite requests without compromising staff's time away from other tasks. A balance comparing the training and constant practice required to accomplish tasks perhaps easier done by others.

Several documents have already been created defining the varying degrees of control available and what ones options are. The primary guiding document is called: Active Directory Management for the UWAD Forest. You are strongly encouraged to read it. Several options are discussed including joining the UWAD forest as a domain (the Nexus domain is a part of the UWAD forest) and joining the Nexus domain as an OU.  This document focuses on frequently asked questions concerning the above mentioned balance.

What Are My Options?

The options for managing a group of W2K workstations, in order of amount of work (from least to most), are as follows:

  • Join an existing domain as an Organisational Unit (OU).
    • This offloads the concerns of most of the security and administrative aspects of domain management allowing you to focus on managing your own PC's.
  • Join the existing UWAD forest as your own domain in order to take advantage of managed (forest) servers providing you with an extra level of protection.
    • This provides you with complete control over your own domain without any interference but requires similar protection and management mechanisms be put in place as already exist elsewhere.
  • Define a new domain/forest as a way of grouping together PC's for management.
    • This requires a minimum of two Domain Controllers, more if the forest is to be properly fail-safed.
  • Leave all workstations as stand-a-lone.
    • This is the least desirable as most existing management tools are unusable.

Do I Have Options as OU Administrator?

If you join an existing domain as an OU, as much or as little administrative control over your workstations can be defined as you wish, with very few exceptions. IST has already joined another domain into the UWAD forest. In addition countless tests have been performed as OU administrators in our duplicate TESTADS domain where various levels of control have been granted to departmental and faculty administrators. Most departments prefer to have IST join their computers to the domain and install W2K on them with all required applications. Administrative control over individual computers need not be compromised in order for this to happen. We do require that IST continue to share administrative control over PC's in our domain however so as to be able to apply patches and provide any other services requested by the department.

What Services Are Provided For Me?

If you join the Nexus domain as an OU the following has been provided:

  • Three domain controllers (servers) exist to keep the domain running smoothly and offer OU management capabilities.
  • An additional set of two domain controllers exist to host the UWAD forest in which the Nexus domain exists. The main reasons for this are to isolate the Schema (it defines a list of attributes for all domain objects) and act as a parent for the Nexus domain, so as to better protect our Active Directory.
  • Print Servers have been provided to allow your clients access to departmental printers (you could add your own).
  • A pair of Netapps File Servers have been provided to offer file services.
  • Domain-wide Security Policies have been created based on internal and external recommendations.
  • Computers can be pre-staged to join the Nexus domain at the same time the IP address is requested there-by assuring desired setup and control when the workstation is finished being built.
  • An image containing not only the W2K OS but a set of  primary applications is at your disposal. Your own applications can be added afterwards or as part of a new image. Much time has been spent analysing how clients wanted to have their operating system and applications set up.
  • Primary applications have been applied in such a way so as to repair themselves. If a client inadvertently uninstalls a key component of one of these applications, it self-repairs from a central location the next time the workstation in rebooted, minimizing downtime.
  • Nexus is now the central campus authentication domain for UWDIR so everyone already has a userid there. What resources are to be assigned to your clients is up to you.
  • Roaming Profiles can be offered to all who wish to use them. This provides a server-side backed up copy of your local personal profile so any changes you make to your desktop (for instance) can follow you from PC to PC. Also, if your PC has to be rebuilt, your roaming profile saves you customizing your replacement again.
  • Folder Redirection has been provided to off-load what used to be files local to the PC, to our file servers. Again, this becomes important if a PC hard disk breaks. Files on networked servers are automatically backed up for you. (This also provides additional security if the PC were to be stolen.)
  • We have an Update server defined that can deliver only UW-approved operating system patches and updates. Providing an extra buffer between the full list of Microsoft updates and your workstations, without compromising security, has proven to be indispensable. This also provides us with a mechanism to quickly deliver critical patches if required.
  • Symantec Antivirus (or Norton Antivirus, as it used to be called) updates are provided from two central Antivirus servers. Again, these give us the ability to quickly deliver patches to protect you in case of virus attacks.
  • .and lastly, having commonality with regards to all of the above services with over 1000 other clients at UW allows the IST support staff to better and more quickly react to client needs and concerns, saving IST and the client valuable time.

What Do I Give Up?

By joining Nexus as an OU instead of creating your own domain you will not be granted domain administrator privileges. Very few departmental administrative functions require this. Since administrative control is still be granted to the workstations themselves and since you can join your own computers to the domain, if you wish (and take them out) very little control is lost. The exceptions are as follows:

  • You will need to get a domain admin to join a member server to the domain. These might include your own printer or application servers. Once the act of joining the server to the domain has been accomplished there is no requirement for a domain admin account as you will be granted full administrative control over all functions of your server.
  • As stated in the Active Directory Management for the UWAD Forest document all userids will remain under IST control within Nexus. The reason for this is to minimize UWDIR conflicts. This is not to say that local OU generic accounts can not be created, if required.
  • As stated above the Active Directory Schema exists outside of the Nexus domain. Not only can OU administrators not change it but Nexus domain administrators can not either. (You have to be a forest administrator to change the Schema.)
  • A few security policies have been defined for all Nexus clients' protection. Policies such as password length and complexity rules. These can not be over-ridden by OU administrators. A full list of all applied policies, and what they are applied to exists at: http://ist.uwaterloo.ca/w2k/projects/w2k/GroupPolicies.xls 
  • Lastly, and this shouldn't hurt too much, you will not be able to manage any resources outside your OU. This means to can not log on or manage the Domain Controllers, allow a new domain into the forest or gain any control over any other OU within Nexus. After all, you wouldn't want other OU administrators to manage your resources either.

In other words, you can be granted all the control you need over your own resources without the headaches of doing more than you have to.

What Can I Be Given Control Of?

You can be assigned full control over any resource within your OU. This includes computers, printers, file shares, security groups, anything but userids (as defined above). Control can be as all-inclusive or as restrictive as requested or required. Control must be requested by a departmental administrator and will be assigned to as few individuals as possible. The actual procedure of defining control will be to an administrative security group defined for your OU. This way if someone needs to be added, or removed, this can be easily accomplished for all defined resources. Please note that with control comes responsibility and this should not be taken lightly.

Alternatively, if you decide to host your own domain within the UWAD forest you will have full control, and responsibility, of everything in your domain. The con is that in this case very few of the above-mentioned IST-provided services will be at your disposal.

This document was created by: Manfred Grisebach, MC1040, x3449

Last modified: January 6th, 2003