Chapter Scenario: Hanson Brothers | MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)

Hanson Brothers is a hockey equipment manufacturing company with a head office in Warroad, Minnesota. Hanson Brothers uses Microsoft Windows 2000 as its network operating system and currently uses a centralized administration model for user accounts. With its upcoming expansion to Boise, Idaho, and Calgary, Alberta, the company plans to decentralize the administration of user accounts.

To assist in the decentralization of management tasks in the network, you've been hired to assist the Hanson Brothers' Information Technology (IT) staff in designing their Active Directory directory service to support the required delegation of administration. You must also ensure that administration of the network doesn't weaken network security.

The Existing Network

All of Hanson Brothers' network operations are currently managed out of the head office in Warroad, but with the expansion to Boise and Calgary, the company plans to delegate account administration to these offices.

Figure 4.1 shows the network links that exist among Hanson Brothers' three offices.

click to view at full size.

Figure 4.1 The Hanson Brothers Wide Area Network

Both the Calgary and the Boise offices are connected to the Warroad office with T1 connections. The connections are currently experiencing 5 percent utilization of available network bandwidth.

Hanson Brothers' Active Directory Design

Hanson Brothers initially implemented Active Directory using a single domain (hansonbrothers.tld). The IT department wants to maintain a single domain for the entire organization in order to reduce the management requirements that would be involved if the organization implemented multiple domains.

All user accounts, computer accounts, and domain controllers (DCs) are currently stored in the default locations in Active Directory. Hanson Brothers realizes that to properly implement its planned single-domain model to allow for delegation of administration, they must create an organizational unit (OU) structure that will facilitate such delegation.

Hanson Brothers' Administrative Needs

In your meetings with the IT staff, you've determined the following requirements for administration of the network:

Membership in administrative groups that can affect the domain and forest must be monitored regularly to ensure that no unauthorized membership exists. Specifically, the monitoring must include the following groups:
- Domain Admins
- Enterprise Admins
- Schema Admins
- Administrators
Hanson Brothers maintains a help desk around the clock. The help desk personnel must be able to reset passwords and unlock any locked-out user accounts.
Hanson Brothers uses a Human Resources program that stores its data in Active Directory. The members of the Human Resources department must be able to modify Human Resources-specific attributes of all users in the organization.
Local administrators in Boise and Calgary must be able to manage all user and computer accounts at their location. To ensure maximum security, the administrators must be able to manage accounts only at their local offices, and not at any of the other two offices.
At the Boise office, one of the network administrators uses a UNIX Scalable Processor Architecture (SPARC) workstation as that person's primary desktop. This administrator wishes to perform network management functions from the UNIX workstation.

The Central Administration Team

A central IT team at the Warroad office designed Hanson Brothers' corporate network. The group split network administration tasks among themselves and defined the following roles and tasks, shown in Table 4.1.

Table 4.1 Administrative Roles for Hanson Brothers Central IT Team

IT Team Member	Roles
Stephanie Conroy	Backups and Group Policy management
Derek Graham	Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) management
Steve Masters	Management of all user accounts except administrative accounts
Kim Hightower	Restoration of network backups
Yvonne Schleger	Schema design
Eric Miller	Backup and restore management, share management, manage services

Hanson Brothers' Current Issues

It's believed that some network administrators are using their administrative accounts for day-to-day activities on the network. A few months ago, an account's password was changed from an administrator's console when the administrator forgot to lock the computer during the lunch hour. Due to the security issues, you must include the following items in your administrative security design:

Administrators must have two accounts for working on the network. One would be used for administrative tasks and the second would be used for day-to-day activities.
Accounts with a forest-wide scope must be restricted to specific workstations.
It should be easy to determine whether an account on the network is an administrative account or a day-to-day user account.