Depending on the structure of your organization, you might consider using container administrators to decentralize administration duties. Instead of having one centralized administrator handling all of the your network’s administrative tasks, the responsibility for individual containers can be delegated to employees located in the department or at the remote location where the administration should occur. Container administrator duties could include:
- Creating user accounts
- Managing print services
- Performing backup and restore functions
- Writing and maintaining login scripts
- Managing file system security
- Maintaining local servers
You can reduce the management tasks associated with creating container administrators by creating an Organizational Role object to manage multiple container administrators. Once the initial setup has been completed, you’ll only have to add or remove occupants.
Follow these steps to create a container administrator using an Organizational Role object:
- Create an Organizational Role object in the container.
- Make the Organizational Role object a trustee of the container.
- Assign the Organizational Role object [BCDR] or [SBCDR] rights to administer the container.
- Assign the Organizational Role object the Read property right on the Trustees List of the container. This optional step will prevent the container administrator from granting container rights or setting the Inherited Rights Filter (IRF), but it will still be able to administer container objects.
- Assign any necessary file system rights.
- Add occupants to the Organizational Role object. The occupants will have the ability to perform administrative duties in the container.
- As a safety measure, always ensure that at least one other object, normally a user object, has been assigned [SBCDR] rights. If the Organizational Role object is accidentally deleted, at least one other object will still have rights to administer the container, and control of the container will not be lost.
For departments that are responsible for highly sensitive data, consider creating an exclusive container administrator to allow the department to have complete control over its branch of the tree. A good example would be the human resources department. This department normally doesn’t permit anyone else to have access to its documents and files, including network administrators.
These steps can be used to create an exclusive container administrator:
- Use the steps above to create a container administrator Organizational Role object.
- Make the Organizational Role object a trustee of the container with [SBCDR] object rights and [SRCWA] property rights. Assign all rights to prevent the Supervisor right from being filtered out by an IRF.
- Using an IRF, revoke inherited rights at the container so that nobody, including the Admin user, will have inherited rights. You might want to set the IRF to [B] object right and [R] property right to allow others to see the container objects.
- Remove the Admin user’s trustee assignments to the container.
- Verify that the Organizational Role object has [S] rights to itself, and then remove all of the Admin user’s trustee assignments to the object. This will prevent anyone from restricting the Organizational Role object's new rights.
- Once again, to prevent losing control over the container, ensure that at least one other user has the same rights assigned to it as the Organizational Role object. If the Organizational Role object is accidentally deleted, you will lose control over that branch unless someone else has been given the correct rights to perform administrative duties.
These two special roles will divide network management tasks among a team of administrators who know the special needs of their department or location, and who will be very responsive in addressing those needs. Their effective use will be an asset to any network management team.
Steve Pittsley is a desktop analyst for a Milwaukee hospital. He enjoys playing drums, bowling, and most sports.If you'd like to share your opinion, please post a comment at the bottom of this page or send the editor an e-mail.