Windows 2000 Administrative Strategies
There are three main strategies for Windows 2000 administration: centralized administration, moving administrative capabilities and tools out to the user, and a hybrid approach.
Administration Strategy Decision Criteria
Each organization should consciously determine an administration strategy. Most organizations have a legacy of staff and "organization" around operating their environment that is in place for reasons ranging from, "This is how we have always done it," to "We only have the budget for three staff members." The Windows NT 4.0 operations that are in place today are organized through a collection of departmental administrators, all with administrative rights. These organizations are organized through the grassroots installation of Windows NT. In contrast, some organizations have installed Windows NT from a centralized organization and have implemented a strict process that mimics their mainframe operations. Each of these existing organizations can benefit from the flexibility that Active Directory provides for administering your environment.
With Active Directory and Windows 2000, each organization should evaluate the correct model for administering their environment. There are several key criteria for evaluating how they should approach the problem. These criteria include control, demographics of the organization, security requirements, support expectations, and flexibility. These are seen as the foundations for evaluating how to build your administration strategy.
Controlling your environment is fundamental to your administration. The level of control you want over your environment dictates what you need to implement. As an example, the level of control dictates what type of Group Policy Objects (GPOs) you should create and where in the Site, Domain, and Organizational Unit (SDOU) structure the policies should be placed. Your level of control can also dictate the type of workstations you permit in your network.
The demographics of your organization also play an important part in how you need to set up your administration. If your organization has administrative staff in remote locations, you might want to distribute some of the responsibilities to them. If the end users have a high computer literacy, you might decide to distribute some of the administrative responsibilities to the end-user or you might reduce some of the control.
Security is a big factor in how you design your administration. All the requirements are related and your requirements for security have an impact on how you design your SDOU structure, what capabilities you give various administrative groups, and the processes you put in place to support the implementation.
Support expectations means the type of response and the responsiveness to problems. Depending on the sophistication and training of the user community, remote control or Web-based FAQ sheets might not meet the requirements of the community. You might need to have local technical support to meet the community's user requirements.
Flexibility in your administrative model plays an important role in defining the service you need to provide and, thus, how you define your administrative model. The requirement for flexibility has an impact on how you distribute administrative control and where you put GPOs in your SDOU hierarchy. A typical requirement for flexibility is at the desktop, where various groups require the ability to install business specific applications. Other levels of flexibility include the requirement in organizations to bring up their own servers and printers or to modify their organizational unit (OU) container.
Centralized Administration Strategy
With Windows 2000 and Active Directory, you are able to develop a multitude of strategies for managing your environment. A simple, first approach is to mimic your typical Windows NT 4.0 environment by having a few specific accounts with unlimited capability to administer your environment. Although this short changes the capabilities in Windows 2000, organizationally, it might make the transition to the new technology easier in the short run. In the long run, it can result in the difficult hurdle of taking away privileges when a more discriminating administrative model is put in place.
Beyond mimicking the Window NT 4.0 administrative model, a centralized administration strategy can take advantage of the features that Active Directory, Windows 2000, and the tools provide as part of the product offering.
Why a Centralized Administration Strategy?
As stated earlier, administration can be viewed to be composed of several components. In Table 13.1, you can see an example of how the factors affect an interest in a centralized administrative model.
| Administrative Requirement | Disposition |
|---|---|
| Control | High need for control over the environment because lack of technological understanding and changes in the organization. |
| Demographics of Organization | Users are not sophisticated in use of technology and the training expense is not available at this time. |
| Security | Restrict access to confidential information on desktops and network. |
| Support Expectations | Users have a variety of needs, but most are use to a mainframe support through phoning a Helpdesk. |
| Flexibility | Does not have a known requirement for immediate changes to environment. |
Centralized Administration Strategy Example
Based on the requirements described in the previous section, a centralized strategy should be implemented. The implementation includes the following implementation components.
The SDOU structure includes GPOs at the domain level to provide control for a three desktop-type lockdowns. The GPOs define three types of users. They are the general computer user who has all the basic user functionality. This includes the operating system, connectivity and access requirements, and base-level application support. The base-level application support includes the standard desktop applications and enterprise-wide horizontal applications.
The second level of desktop type is for the sales and managers in the organization who need to access applications that have specific financial information.
The third type of desktop is for IT. This desktop has access to the base-level applications and to the IT-specific applications that run the environment.
These GPOs would flow to each workstation based on inclusion in groups. Access to applications that fall outside the three desktop types would be applied to users based on inclusion in application-specific groups.
Administration would be held by a centralized group, and the division of responsibilities would be distributed in two tiers. The technical leads would have access to separate accounts for specific enterprise-wide changes and significant changes to the infrastructure. This would include items, such as bringing on a new server or changing GPOs and applying them to Active Directory. The second tier would permit administration for maintenance items like backups and additions, deletions, and modifications for accounts and computers.
In addition, the requirements call for a deployment of tools that support the centralized environment. This can be a multi-media support approach that includes a Web page for support and IT project status. A Helpdesk that is staffed at such a level where users find a real person, rather than voice-mail (most of the time) and also an implementation that supports remote control of each workstation.
Decentralized Administration Strategy
Another strategy is to move administrative capabilities and tools out as far as possible. Under this strategy, as much of the administration as possible is distributed to the end user. In some ways, this is happening on the Internet today. If you try to access some Internet sites, you need to register yourself and give them valuable demographic information. This is essentially "adding" you to the user database for the system. If the underlying theme of your strategy is to move to end user (or self) administration, the culture of your organization needs to be evaluated against the capabilities of the technology and the real impact. One way to evaluate your organization is to identify the cost of administrative support and the cost of the end user's time. If the value of the person's time exceeds the value of the administrator's time, this strategy probably does not make sense. A highly paid medical professional should probably not be burdened with the responsibility of administrative accounts if a more cost effective staff person is able to perform the task.
Another roadblock to pushing the responsibility out to the end user is the requirement for training. You need to ask those in the organization if this additional responsibility is going to burden the community too much.
Pushing the administrative responsibilities out from the center is best justified, if the end user or regional IT person can be more responsive to the users' or the organization's needs. We have seen an example of this with the advent of word processors. A typing pool or an administrative support person originally performed word processing. Today most executives perform much of their word processing themselves. The task of writing a document out and passing it to someone and then reviewing it, takes more time that it takes to write and proof the document yourself.
When distributing administrative tasks, you want to make the tasks more responsive to the user's needs. Here is an example to illustrate this point. An end-user is able to update part of the directory information through a Web page that has access to the directory. Because the user authenticates to the directory, Active Directory knows who the person is and permits updates to the individual's Active Directory entry. In this scenario, the end user can change only their information in Active Directory. Some fields are protected from change by Active Directory.
Why a Decentralized Administration Strategy?
A decentralized administration strategy is typically motivated by the responsiveness and accuracy of the task. Simple things, like updating your address or changing your password, take time when someone on the other end of the phone is there. The capability to perform the action is immediate when you are able to perform the action directly. Rather than listing to you spell your street address and thus create a possible inaccurate entry, a user that updates their address information is going to have their address entered correctly.
Table 13.2 identifies an example of the findings leading to a decentralized administration strategy.
| Administrative Requirement | Disposition |
|---|---|
| Control | The need for control is limited. Users and organizations use the network and network resources as they would other utility services. The network responsibility ends at the plug in the wall. Desktops are the responsibility of the business units. |
| Demographics of Organization | Users are sophisticated. Everyone has their own PC or laptop. |
| Security | Restrict access to confidential information on desktops and network. Users are responsible for desktop data. IT is responsible for Network data. |
| Support Expectations | Users and organizations continue to be autonomous. They work with IT on network issues, but seek desktop support as an exception. |
| Flexibility | There is a high requirement for desktop flexibility and access to the network from multiple locations. New applications are brought up at will to the business unit level. |
Decentralized Administration Strategy Example
The requirements described in the Table 13.2 lead to a decentralized administration strategy. A decentralized administration requires less work in developing and testing GPOs in the organization. There is still a requirement for policies to be applied to all workstations that are attached to the network and use network resources. Centrally, computer accounts and user accounts need to be created to give users access to the network.
Based on the previously stated requirements, the organization needs to develop procedures for allowing organizations to join the network. This should be as automated as possible. After inclusion in the network has been established, it is up to the business unit or user to identify the workstation unique capabilities that need to be put in place.
In this example, there are sophisticated user communities, but there are not seasoned IT professionals existing in the business units. This prevents us from creating an OU structure, and it prevents business unit IT professionals from establishing GPOs as part of their OU.
The level of administration distribution in this example includes the self- administration of accounts, directory information, group participation, and password reset. In the business units, administrative support personnel are given basic training in printer administration, application support, and basic troubleshooting techniques.Finally, the limited central IT staff rarely provide immediate problem resolution. The central IT staff is focused on project work.
Hybrid Administration Strategy
The third strategy is a hybrid strategy. This strategy employs components of both the centralized administration strategy and the decentralized administration strategy. From a centralized administration view, this strategy addresses enterprise-wide considerations, such as communication between organizations and defining minimum functionality standards. From a decentralized administration view, this strategy addresses the need for autonomy and enables business units to make changes as their business dictates.
Why a Hybrid Administration Strategy?
A typical hybrid strategy uses centralized management for network-wide operations and decentralized operations to the regional offices where they fit. Updates or maintenance of the information is performed by those who know the information and are most interested in keeping up to date. A simple scenario for the hybrid approach is to have the centralized IT staff architect new capabilities and establish the services. The centralized staff's concerns would be functionality, disaster recovery procedures, and capacity planning, to name a few. These are typically administered and controlled by the central IT organization, regardless. The regional organization performs the tasks that are specific to them. This would include adding and deleting users and monitoring capacity within the framework of the centralized administration staff. Table 13.3 illustrates how unique requirements can be considered and planned for locally by monitoring the capacity planning in the region. This approach might include a variety of scenarios based on how the company is organized.
| Administrative Requirement | Disposition |
|---|---|
| Control | The need for control exists. Regional offices need autonomy, but they also want backup support for the organization. |
| Demographics of Organization | Users are sophisticated. Everyone has their own PC or laptop. There is IT support in remote offices. |
| Security | Restrict access to confidential information on desktops and network. Users are responsible for desktop data. Some data is restricted to regional offices that want their own security. |
| Support Expectations | Users and organizations continue to be autonomous. They work with IT on network issues, but seek desktop support as an exception. |
| Flexibility | There is a high requirement for desktop flexibility and access to the network from multiple locations. New applications are brought up at will to the business unit level. There is IT support in regional offices. |
Hybrid Administration
In the hybrid administration model, the centralized IT organization works with regional IT organizations to divide responsibility. In the extreme case, the Windows 2000 environment mimics the Windows NT 4.0 environment with specific trusts between Forests.
In this example, based on the description in the Table 13.3, the requirements are satisfied by creating a centralized model that has regional domains. Each regional domain is administered by the central office and the regional office, but each office has the capability to create OUs in their domain as needed. The centralized organization can also provide GPO examples for use and suggest standards by example rather than by enforcement.