This lab prepares you to design security groups and user rights assignments by meeting the following objectives:
This lab looks at the design of security groups for an n-tiered client server deployment for Contoso Ltd. (where n represents the number of levels). The client/server deployment will involve clients and servers spread among Contoso's four domains.
Make sure that you've completed reading the chapter material before starting the lab. For information on designing your administrative structure, pay close attention to the sections where the design decisions were applied throughout the chapter.
Contoso Ltd., an international magazine sales company, wants to develop a methodology for creating security groups and deploying user rights in their organization. You've been asked to assist with designing the necessary user rights and security groups for the deployment of a new Human Resources application.
The new Human Resources (HR) application is an Active Directory–integrated application that uses an n-tiered client/server model for the storage of Human Resources-related information.
The Human Resources application must be able to categorize its users into one of four categories. Each location has users who could be placed into one of four categories of application users. A user must be placed into only one of the available categories. The four categories of user access for the Human Resources application are defined in the following table:
Category | Access Level |
---|---|
Application Managers | Must have full control of all areas of the application to manage and configure the application. |
HR Manager | Must be able to grant access to the Human Resources application and determine the level of access to the application. Can assign any level of access except Application Manager. |
HR Department | Able to modify content in Human Resources-related documents and databases. |
Employee | Able to view all Human Resources public documents, including job postings, weekly bulletins, and United Way campaign information. |
Being an n-tiered application, the application takes advantage of the Windows 2000 capability to use Kerberos delegation. This allows the Human Resources application service account to process queries at the security level of the user running the application, rather than at the system account's permissions level.
To allow impersonation, the Human Resources application service account must be able to log on as a service and act as part of the operating system. This service account is used on all servers involved in the Human Resources application deployment. It isn't used at the client computers running the front-end application.
The application servers that support the Human Resources application are spread among the Seattle, Lima, and London offices, as shown in Figure 5.9.
Figure 5.9 Application server distribution for the Human Resources application
In Seattle all job postings are stored on the server called HRSeattle. When a query on job postings is made, the request is redirected to the HRSeattle server without the knowledge of the user running the Human Resources application.
In Lima a server has been configured that stores common Human Resources reports. The reports are physically located on the HRLima server, but this is accessible from the Web server in London through a virtual directory running available in Internet Information Services (IIS). The company is concerned about access times for the Human Resources reports because of to the slow 56 K WAN link between London and Lima, as shown in Figure 5.10.
Figure 5.10 Wide Area Network for Contoso Ltd.
In London two servers are deployed for the Human Resources application. The HRLondon server contains most of the application data used by the Human Resources application. When a client queries the HRLondon server, the query will return only a response set that's allowed by the credentials. When Kerberos delegation is used, all queries are run in the security context of the calling user.
This exercise looks at designing the security groups required for Contoso's Human Resources application deployment. Answers to these questions can be found in the appendix.
Category | Global Group(s) | Membership |
---|---|---|
Application Managers | ||
HR Managers | ||
HR Department | ||
Employees |
Domain Local Group | Membership | Where Deployed |
---|---|---|
|
Domain Local Group | Membership | Where Deployed |
---|---|---|
|
Domain Local Group | Membership | Where Deployed |
---|---|---|
|
Answers
The Human Resources application requires a service account that will be used at all application servers involved in running the HR application. Answers to these questions can be found in the appendix.
Answers