Delegate administrative functions

What you can delegate where.

OK. Times are tough in network administration land. With budgets squeezing tighter than a vice, you can't find the people to do the routine admin stuff that comes up every day, never mind the emergency tasks that have to get done right away.

How can you solve this problem? Well, think outside the box, and see if you can delegate some of the routine admin tasks to other people. This tip, excerpted from InformIT, discusses some ways to do this with Windows 2000.

Managing networks effectively for best performance and lowest cost will be the subject of many sessions at our FREE upcoming Networking Decisions conference, to be held in Chicago October 16 - 18 in Chicago. Click here to register for the conference.


If you're like most of your peers, you have lots of trick and tips that you have amassed over the years. Why not send them in to searchNetworking? We'll make you instantly famous when we post your tip on our Website, and we'll enter you into our tips contest for some great prizes.

Did this tip float your boat, or do you think it's a boat anchor? Why not e-mail and let us know.

One of the reasons for implementing Windows 2000 and Active Directory is the directory's capability to delegate administrative tasks. Part of defining the scope of your Active Directory, and therefore its namespace, is to identify which administrative tasks are delegated to which groups. Identifying the amount of delegation goes a long way toward determining the complexity of the Active Directory domain and OU structure.

A good example of where administrative tasks can be delegated is the Helpdesk. When users dial the Helpdesk on the phone and the automated operator answers, they might be presented with a menu that allows them to navigate to the type of support they need. In the same way, specific administrative permissions can be delegated to the groups that perform these support tasks:

  • Change or Reset Password -- This group of Helpdesk support can be granted permissions to change passwords without having permissions on other attributes of the user object.
  • Create or Remove Network Accounts -- This Helpdesk group can create and delete users, but they cannot change preexisting user object attributes.
  • Enable RAS Access -- This group of Helpdesk can guide users through setting up their RAS services and enabling their Active Directory account for RAS access.
  • Change User Name -- Perhaps an administrative assistant for every group is granted the ability to change user names.
  • Change Directory Information -- Users can be granted the right to maintain their own Active Directory object information.

Human Resources (HR) is a department in many organizations that could assume much of the maintenance responsibility for the network account. HR manages user benefits, payroll, and personnel files -- why not their network accounts too? When users are added to the HR system, a process or script could start that would create an Active Directory account in an OU and domain that is appropriate for the user as well as an Exchange mailbox on the appropriate Exchange server. This would go a long way toward alleviating IS from these day-to-day administrative tasks and freeing up resources for head-count to improve the IS infrastructure, not just maintain it.


To read the article from which this tip is excerpted, click over to InformIT. You have to register there, but the registration is free.


This was first published in September 2002

Dig deeper on Network Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close