PC Review


Reply
Thread Tools Rate Thread

Delegating Domain Controller Administration

 
 
Kevin Brinnehl
Guest
Posts: n/a
 
      6th Oct 2003
I'm in the process of planning to consolidate our Windows 2000 Active
Directory environment into a single domain. I have one critical obstacle at
the moment. We have a number of sites (corresponding to their respective
child domain) with their own local system administrator. I would like to
have these administrators maintain control over their local domain
controllers. Is it possible to delegate administration of a single domain
controller to a particular administrator without giving them access to all
of the domain controllers in the domain?


 
Reply With Quote
 
 
 
 
Dmitry Korolyov
Guest
Posts: n/a
 
      6th Oct 2003
I'd say no. There won't be any much purpose in that. The only possible difference between domain controllers within domain is the FSMO roles they hold. Regarding everything else they are all the same - which means if someone has administrative privileges over a single domain controller in a domain, his incorrect actions could cause as much problems as if he had administrative privileges over every domain controllers in a domain.

Do your subordinate admins really need admin rights over DCs? Why not just delegate them administrative permissions over a certain subscope of OU hierarchy, making each of them responsible for only a subset of users and computers. Admins rights over DC are rarely required - only for hardware installations, major changes such as service installation and such. In fact your subordinate admins should be quite happy with much less than Domain Admins and even Account Operators rights.

--
Dmitry Korolyov [(E-Mail Removed)]
MVP: Windows Server - Active Directory


"Kevin Brinnehl" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
I'm in the process of planning to consolidate our Windows 2000 Active
Directory environment into a single domain. I have one critical obstacle at
the moment. We have a number of sites (corresponding to their respective
child domain) with their own local system administrator. I would like to
have these administrators maintain control over their local domain
controllers. Is it possible to delegate administration of a single domain
controller to a particular administrator without giving them access to all
of the domain controllers in the domain?


 
Reply With Quote
 
 
 
 
Todd Maxey [MSFT]
Guest
Posts: n/a
 
      6th Oct 2003
Kevin,

The short answer is "No"

When you delegate control you are doing so only in the Active Directory.
This allows the delegated user or group to control the object(s) in Active
Directory that have been delegated to them. It does not give them
administrative ability on the physical machine. This would be accomplished
by added the user to the Built-in group Administrators, Domain Admins, or
Enterprise Admins each of which will give your user an ever widening ability
to affect "things" across the domain and or enterprise.

The most administratively correct way for a domain controller to be
administrator without giving away the keys to the kingdom is creating a
separate domain in the same forest (child or separate tree).



"Kevin Brinnehl" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'm in the process of planning to consolidate our Windows 2000 Active
> Directory environment into a single domain. I have one critical obstacle

at
> the moment. We have a number of sites (corresponding to their respective
> child domain) with their own local system administrator. I would like to
> have these administrators maintain control over their local domain
> controllers. Is it possible to delegate administration of a single domain
> controller to a particular administrator without giving them access to all
> of the domain controllers in the domain?
>
>



 
Reply With Quote
 
Joe Richards [MVP]
Guest
Posts: n/a
 
      7th Oct 2003
And actually your forest still has potential dangers. A domain is not the ultimate security boundary in Windows Active
Directory, the Forest is. If you don't trust someone with your whole forest, do not give them administrative rights on
any DC in the forest.

--
Joe Richards
www.joeware.net

--

"Todd Maxey [MSFT]" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
> Kevin,
>


<SNIP>
>
> The most administratively correct way for a domain controller to be
> administrator without giving away the keys to the kingdom is creating a
> separate domain in the same forest (child or separate tree).
>



 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Delegating Administration chrism Microsoft Windows 2000 Active Directory 1 8th Aug 2006 01:59 PM
Delegating WSUS Administration Roles =?Utf-8?B?SmVmZnJleQ==?= Microsoft Access 1 16th Nov 2005 07:48 PM
Delegating ACL administration on certain Folders and Files =?Utf-8?B?SlI=?= Microsoft Windows 2000 File System 2 29th Oct 2004 06:38 PM
Delegating OU administration Rich Raffenetti Microsoft Windows 2000 Active Directory 0 10th Aug 2003 07:17 PM
Delegating group administration within a domain (permissions problem) Russ Microsoft Windows 2000 Active Directory 0 2nd Jul 2003 01:11 PM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 05:48 PM.