###BeginCaseStudy###
Case Study: 3
Baldwin Museum of Science
Scenario:
COMPANY OVERVIEW
The Baldwin Museum of Science is an internationally renowned museum of science history.
Physical Location
The museum has a main office and a branch office named Branch1. The main office has
5,000 users. Branch1 has 1,000 users. The main office connects to Branch1 by using a WAN
link. The WAN link is highly saturated. The museum has a sales department. All of the users
in the sales department have client computers that run Windows XP Service Pack 3 (SP3).
EXISTING ENVIRONMENT
Active Directory Environment
The network contains one Active Directory forest. The forest contains two domains named
baldwinmuseumofscience.com and ad.baldwinmuseumofscience.com. All user accounts and
computer accounts for all employees are in the ad.baldwinmuseumofscience.com domain.
The organizational unit (OU) structure for ad.baldwinmuseumofscience.com is shown in the
exhibit. (Click the Case Study Exhibits button.)
Network Infrastructure
The network contains the following servers and Applications:
• Application servers that run either Windows Server 2003 Service Pack 2 (SP2), Windows
Server 2008 SP2, or Windows Server 2008 R2.
• A custom Application named App1 that runs on all of the Application servers. App1 writes
events to the Application log.
• A line-of-business Application named App2 that requires Internet Explorer 6. All of the
users in the sales department run App2.
• File servers that run Windows Server 2008 R2.
The main office has the following:
• A two-node failover cluster that runs Windows Server 2008 R2 and has the Hyper-V role
installed and a Clustered Shared Volume. The failover cluster hosts four virtual machines
(VM) that run Windows Server 2008 R2. The VMs are stored on the Clustered Shared
Volume. Each VM runs Microsoft SQL Server 2008.
• A server named Server1 that hosts two shared folders named Sharel and Share2. Sharel
hosts 50,000 research documents that are shared by multiple users. Share2 hosts documents
that are created by users in the sales department.
Administration Model
All users in Branch 1 are members of global groups and universal groups. The groups are
located in an OU named Groups in the ad.baldwinmuseumofscience.com domain.
REQUIREMENTS
Planned Changes
The Baldwin Museum of Science plans to implement a new branch office named Branch2.
Branch2 wi and will be configured as a separate Active Directory site. Branch2 will be
configured to meet the following requirements:
• Minimize the cost of deploying new servers.
• Contain only client computers that run Windows 7.
• Connect to the main office by using a saturated WAN link.
• Contain only servers that run Windows Server 2008 R2. The servers will be configured as
either file servers or Web servers. The file shares on the file servers must be available if a
single file server fails.
In Branch2, if a single domain controller or a WAN link fails, users in the branch must be
able to:
• Change their passwords.
• Log on to their client computers.
Technical Requirements
The Baldwin Museum of Science must meet the following technical requirements:
• Hardware and software costs must be minimized whenever possible.
• All VMs must be backed up twice a day.
• All VM backups must include the VM configuration information.
• Events generated by App1 must be stored in a central location.
• An administrator must be notified by e-mail when App1 generates an error.
• The number of permissions assigned to help desk technicians must be minimized.
• The help desk technicians must be able to reset the passwords and modify the membership
of all users in Branch1.
• If a user overwrites another user’s research document, the user must be able to recover a
previous version of the document.
• When users in the sales department work remotely, they must be able to access the files in
Share1 in the minimum amount of time.
Security
The Baldwin Museum of Science must meet the following security requirements:
• All scripts that run on production servers must be signed.
• Managers in Branch1 must be allowed to access the Internet at all times.
• Web site administrators must not be required to log on interactively to Web servers.
• Users in Branch1 must only be allowed to access the Internet between 12:00 and
13:00.
• Users and managers must be prevented from downloading executable files from the
Internet.
• Administration of the corporate Web sites must support all bulk changes and
scheduled content updates.
###EndCaseStudy###
You need to recommend an administrative solution for the help desk technicians that meets the
museum’s technical requirements. What should you recommend?
A.
Add the help desk technicians to the Domain Admins group.
B.
Add the help desk technicians to the Accounts Operators group.
C.
Assign permissions for the Groups OU and the Branch1 OU to the help desk technicians.
D.
Assign permissions for the domain object and the Users container to the help desk technicians.
Explanation:
You can delegate administrative control to any level of a domain tree by creating organizational units
within a domain and delegating administrative control for specific organizational units to particular
users or groups. By giving permissions on the Groups OU they can modify group membership and
create groups within that OU, by giving them permissions on the Branch1 OU they will be able to
reset passwords within that OU.
http ://www.windowsecurity.com/articles/Implementing-Active-Directory-DelegationAdministration.html
How to delegate password reset permissions for your IT staff
One of the most common tasks to delegate, usually to a service desk or Help desk, is the capacity to
reset users’ passwords when they forget them and unlock their accounts. To accomplish this, you’ll
need to perform a few delegations: You’ll need to delegate the Reset Password Extended Right
permission and the Write
Property permission for the pwdLastSet and lockoutTime attributes.
http ://community.spiceworks.com/how_to/show/1464 well worth a look
To delegate group membership
http ://www.scribd.com/doc/42818731/AD-Delegating-Control-of-Group-Membership