This scenario involves the creation of an administrative view named Sales in an organization with an OU-based structure of Active Directory.
Suppose an organization has offices in USA and Canada. The rule for including a user in an OU is the geographical location of the user. Therefore, all users who work in USA reside in the USA OU, and those working in Canada reside in the Canada OU.
The offices in USA and Canada each have Marketing, Development, and Sales departments. By creating a Sales MU, it is possible to manage users from the Sales departments in USA and Canada collectively, without changing the actual OU-based structure.
When delegating control of an MU, all users that belong to the MU inherit security settings defined at the level of the Managed Unit. Thus, applying an Access Template to a Managed Unit specifies the security settings for each user in the MU.
To implement this scenario, perform the following steps:
-
Create the Sales MU.
-
Add users from the Sales department in USA and Canada to the Sales MU.
-
Prepare the Sales Access Template.
-
Apply the Sales Access Template to the Sales MU, and designate an appropriate group as a Trustee.
As a result, the members of the group gain control of user accounts that belong to the Sales MU. The scope of control is defined by the permissions in the Sales Access Template.
The following sections elaborate on the steps to implement this scenario.