Web Admin's Organizational Structure

The Microsoft Web Admin tool lets you create two types of organizations—customer organizations and child organizations—which the tool adds to Windows 2000 Active Directory (AD) as organizational units (OUs). The difference between the two is that Web Admin also configures a set of security groups for customer organizations. In addition, you can add customer organizations only to the Hosting OU that the tool creates during setup, and you can add child organizations only to customer organizations or other child organizations. Figure A shows an example of an environment with four customer organizations (i.e., Cust1, Cust1a, Cust1b, and Cust2) and five child organizations (i.e., OU1, OU2, OU3, OU4, and OU5). When you create a customer organization, the following steps occur:

  1. Web Admin adds an OU (with the customer organization's name) beneath the Hosting OU.
  2. Web Admin adds security groups to the new OU. Whenever someone uses Web Admin to create a new user account, the tool adds that account to the applicable security groups, depending on the new user role.
  3. Web Admin configures the new OU's ACL with the appropriate security groups and permissions. Web Admin uses a combination of AD OUs and Win2K security to grant specific permissions to the predefined security groups.

Figure A also shows how Web Admin configures administrative roles to access and manage specific organizations. You can think of these administrative roles as predefined security configurations that determine which organizations users can access and which actions the users can take within those organizations. Depending on these configurations, Web Admin displays the accessible OUs and the supported functionality for the user's administrative role. Web Admin supports four administrative roles:

  • Domain Administrator—The tool defines a Domain Administrator as any user who's a member of the Win2K Domain Admin group or Enterprise Admin group. Domain Administrators have full control over all containers within the domain.
  • Multi-Organization Administrator—A Web Admin Multi-Organization Administrator is a user in a multi-organizational customer organization. This user can create other customer organizations and manage those organizations. These users can also be configured as Organization Administrators.
  • Organization Administrator—An Organization Administrator is a user within a customer organization OU who can manage users, groups, and child organizations within that customer organization.
  • End User—An End User is a user within a customer organization OU who can view information about that organization and manage his or her user account.

As Figure A shows, the Cust2 Organization Administrator manages only Cust2 and can't access any other customer organizations. However, the Cust1 Multi-Organization Administrator manages several customer organizations, including Cust1a and Cust1b, which are part of a multi-organizational structure with Cust1. The Domain Administrator has full access to the domain structure, whereas the other roles are limited to their respective customer and child organizations. Note that although the Domain01 and Hosting OUs are visible to Multi-Organization Administrators, those users can't perform tasks in Domain01 and can perform only a few tasks in Hosting (e.g., modifying the OU's properties).

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.