I'm in the process of planning to consolidate our Windows 2000 Active
Directory environment into a single domain. I have one critical obstacle at
the moment. We have a number of sites (corresponding to their respective
child domain) with their own local system administrator. I would like to
have these administrators maintain control over their local domain
controllers. Is it possible to delegate administration of a single domain
controller to a particular administrator without giving them access to all
of the domain controllers in the domain?

I'd say no. There won't be any much purpose in that. The only possible difference between domain controllers within domain is the FSMO roles they hold. Regarding everything else they are all the same - which means if someone has administrative privileges over a single domain controller in a domain, his incorrect actions could cause as much problems as if he had administrative privileges over every domain controllers in a domain.

Do your subordinate admins really need admin rights over DCs? Why not just delegate them administrative permissions over a certain subscope of OU hierarchy, making each of them responsible for only a subset of users and computers. Admins rights over DC are rarely required - only for hardware installations, major changes such as service installation and such. In fact your subordinate admins should be quite happy with much less than Domain Admins and even Account Operators rights.

--
Dmitry Korolyov [(E-Mail Removed)]
MVP: Windows Server - Active Directory


"Kevin Brinnehl" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
I'm in the process of planning to consolidate our Windows 2000 Active
Directory environment into a single domain. I have one critical obstacle at
the moment. We have a number of sites (corresponding to their respective
child domain) with their own local system administrator. I would like to
have these administrators maintain control over their local domain
controllers. Is it possible to delegate administration of a single domain
controller to a particular administrator without giving them access to all
of the domain controllers in the domain?

Kevin,

The short answer is "No"

When you delegate control you are doing so only in the Active Directory.
This allows the delegated user or group to control the object(s) in Active
Directory that have been delegated to them. It does not give them
administrative ability on the physical machine. This would be accomplished
by added the user to the Built-in group Administrators, Domain Admins, or
Enterprise Admins each of which will give your user an ever widening ability
to affect "things" across the domain and or enterprise.

The most administratively correct way for a domain controller to be
administrator without giving away the keys to the kingdom is creating a
separate domain in the same forest (child or separate tree).



"Kevin Brinnehl" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm in the process of planning to consolidate our Windows 2000 Active
> Directory environment into a single domain. I have one critical obstacle
at
> the moment. We have a number of sites (corresponding to their respective
> child domain) with their own local system administrator. I would like to
> have these administrators maintain control over their local domain
> controllers. Is it possible to delegate administration of a single domain
> controller to a particular administrator without giving them access to all
> of the domain controllers in the domain?
>
>

And actually your forest still has potential dangers. A domain is not the ultimate security boundary in Windows Active
Directory, the Forest is. If you don't trust someone with your whole forest, do not give them administrative rights on
any DC in the forest.

--
Joe Richards
www.joeware.net

--

"Todd Maxey [MSFT]" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
> Kevin,
>

<SNIP>
>
> The most administratively correct way for a domain controller to be
> administrator without giving away the keys to the kingdom is creating a
> separate domain in the same forest (child or separate tree).
>