The examples in this section demonstrate how to configure Managed Units, and allow you to see how Managed Units work.
Managed Unit (MU) is a collection of objects (administrative view), created for the purposes of distribution of administration, enforcement of business rules, and management of complex network environments. Managed Units provide the capability to separate the management framework from the Active Directory design. By using Managed Units, directory objects can be grouped into administrative views regardless of object location in Active Directory.
Consider an example in which the AD design is based on geographic locations, with domains named after cities or regions and OUs named for corporate departments or groups. Managed Units could be designed to manage specific departments or groups that are divided across multiple geographic locations.
In this example, each AD domain has a Human Resources (HR) OU and a Sales OU. The Active Roles design has an HR MU and a Sales MU. The HR MU enables administrators to configure the policies and security restrictions for all HR users in one place, while the Sales MU provides the same kind of capability for all Sales users.
MUs are defined by membership rules—criteria that Active Roles uses to evaluate which objects belong to specific MU.
In your test domain, create three OUs named PHX Sales, BST Sales, and SEA Sales. Then, perform the following steps to create the Sales MU.
To create Managed Unit
The New Object - Managed Unit wizard starts.
The window displays a list of all the Sales OUs found.
This procedure ensures that all OUs with names containing ‘Sales’ are included in the Sales MU. If you only want the MU to include the OUs with specific names, such as ‘PHX Sales OU’, ‘BST Sales OU’ and ‘SEA Sales OU’, use explicit inclusion. To create the Sales MU using explicit inclusion, modify the above procedure as follows:
Active Roles ensures that security restrictions specified on an MU are applied to all objects held in that MU. When an MU holds a container, all child objects in that container inherit the security restrictions defined at the MU level. This inheritance continues down the directory tree within all containers held in a given MU.
When you assign the Full Control role to a group for a given MU, you authorize the members of that group to perform all administrative tasks in that MU. The members of the group to which you have assigned an administrative role are referred to as delegated administrators.
To assign the Full Control role for an MU
When assigned the Full Control role for an MU, the delegated administrator is authorized to view the MU and manage all objects in it. In the Active Roles console, the MU appears under Managed Units in the console tree.
Delegated administrators can use the Active Roles console to perform administrative tasks within the MU. Take the following steps to verify the rights of the delegated administrator using the Active Roles console.
To verify delegation using the Active Roles console
Delegated administrators can also use the Web Interface to perform administrative tasks. Take the following steps to verify the rights of the delegated administrator using the Active Roles Web Interface.
To verify delegation using the Web Interface