Delegating Domain Controller Administration

Discussion in 'Microsoft Windows 2000 Active Directory' started by Kevin Brinnehl, Oct 6, 2003.

  1. I'm in the process of planning to consolidate our Windows 2000 Active
    Directory environment into a single domain. I have one critical obstacle at
    the moment. We have a number of sites (corresponding to their respective
    child domain) with their own local system administrator. I would like to
    have these administrators maintain control over their local domain
    controllers. Is it possible to delegate administration of a single domain
    controller to a particular administrator without giving them access to all
    of the domain controllers in the domain?
     
    Kevin Brinnehl, Oct 6, 2003
    #1
    1. Advertisements

  2. I'd say no. There won't be any much purpose in that. The only possible difference between domain controllers within domain is the FSMO roles they hold. Regarding everything else they are all the same - which means if someone has administrative privileges over a single domain controller in a domain, his incorrect actions could cause as much problems as if he had administrative privileges over every domain controllers in a domain.

    Do your subordinate admins really need admin rights over DCs? Why not just delegate them administrative permissions over a certain subscope of OU hierarchy, making each of them responsible for only a subset of users and computers. Admins rights over DC are rarely required - only for hardware installations, major changes such as service installation and such. In fact your subordinate admins should be quite happy with much less than Domain Admins and even Account Operators rights.

    --
    Dmitry Korolyov []
    MVP: Windows Server - Active Directory


    "Kevin Brinnehl" <> wrote in message news:...
    I'm in the process of planning to consolidate our Windows 2000 Active
    Directory environment into a single domain. I have one critical obstacle at
    the moment. We have a number of sites (corresponding to their respective
    child domain) with their own local system administrator. I would like to
    have these administrators maintain control over their local domain
    controllers. Is it possible to delegate administration of a single domain
    controller to a particular administrator without giving them access to all
    of the domain controllers in the domain?
     
    Dmitry Korolyov, Oct 6, 2003
    #2
    1. Advertisements

  3. Kevin,

    The short answer is "No"

    When you delegate control you are doing so only in the Active Directory.
    This allows the delegated user or group to control the object(s) in Active
    Directory that have been delegated to them. It does not give them
    administrative ability on the physical machine. This would be accomplished
    by added the user to the Built-in group Administrators, Domain Admins, or
    Enterprise Admins each of which will give your user an ever widening ability
    to affect "things" across the domain and or enterprise.

    The most administratively correct way for a domain controller to be
    administrator without giving away the keys to the kingdom is creating a
    separate domain in the same forest (child or separate tree).



    "Kevin Brinnehl" <> wrote in message
    news:...
    > I'm in the process of planning to consolidate our Windows 2000 Active
    > Directory environment into a single domain. I have one critical obstacle

    at
    > the moment. We have a number of sites (corresponding to their respective
    > child domain) with their own local system administrator. I would like to
    > have these administrators maintain control over their local domain
    > controllers. Is it possible to delegate administration of a single domain
    > controller to a particular administrator without giving them access to all
    > of the domain controllers in the domain?
    >
    >
     
    Todd Maxey [MSFT], Oct 6, 2003
    #3
  4. And actually your forest still has potential dangers. A domain is not the ultimate security boundary in Windows Active
    Directory, the Forest is. If you don't trust someone with your whole forest, do not give them administrative rights on
    any DC in the forest.

    --
    Joe Richards
    www.joeware.net

    --

    "Todd Maxey [MSFT]" <> wrote in message news:...
    > Kevin,
    >


    <SNIP>
    >
    > The most administratively correct way for a domain controller to be
    > administrator without giving away the keys to the kingdom is creating a
    > separate domain in the same forest (child or separate tree).
    >
     
    Joe Richards [MVP], Oct 7, 2003
    #4
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Russ

    Delegating group administration within a domain (permissions problem)

    Russ, Jul 2, 2003, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    0
    Views:
    558
  2. Rich Raffenetti

    Delegating OU administration

    Rich Raffenetti, Aug 10, 2003, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    0
    Views:
    248
    Rich Raffenetti
    Aug 10, 2003
  3. Iggy

    Domain controller dies and 2nd domain controller isn't picking up the slack

    Iggy, Nov 17, 2003, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    6
    Views:
    998
    David Pharr [MSFT]
    Nov 21, 2003
  4. chrism

    Delegating Administration

    chrism, Aug 8, 2006, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    1
    Views:
    283
    Paul Bergson
    Aug 8, 2006
  5. Cartman

    Implementing an approval workflow for delegating administration

    Cartman, Dec 11, 2007, in forum: Microsoft Windows 2000 Active Directory
    Replies:
    1
    Views:
    275
    Brian Desmond [MVP]
    Dec 12, 2007
Loading...

Share This Page