|
|
Each domain or domain tree has security boundaries. The system administrator can grant rights to individuals in organizational units with greater granularity. In fact, certain administrative responsibilities can be granted on an OU basis without endangering system security. As more users become "empowered" to manage aspects of their normal work within their environment, the mundane responsibilities of system administration are reduced.
If a system administrator considers a security boundary as a logical management segment, responsibility for each boundary or segment can be delegated to other administrators. A system administrator in one domain is not automatically the administrator in another domain. Alternatively, an administrator may want to extend his or her control over many domains. Administrative privileges can be delegated by organizational unit, domain, tree, or forest.
Another important aspect of this containerized OU and domain tree strategy is how it copes with organizational change. In many operating systems, changes or deletions usually require many hours of a system administrator's manual labor. The Active Directory permits OU changes to be accommodated by pruning, grafting, and merging branches from one domain tree to another. It also provides simple drag-and-drop functionality. For example, if the widget department in Ohio is to be consolidated with the super-widget department in Michigan, the system administrator need only drag that object to the domain tree of the merged organization.
 |
|
|
| Top |