branch office administrator

[Brian Higgins]

I have a client that has 25 branch locations. we are in the process of
upgrading and bringing nearly all of these online and setup under one domain
(DC/GC housed at each office with separate sites defined for each physical
location with some sort of high speed connection between 384 Kb/s and 3.0
Mb/s at each location with a VPN link back to corporate). Most of the sites
only have between 5-15 users.

The plant manager is complaining at one location that was brought online
this last week, because the former "IT Guy" that took care of their
equipment is a friend of his and he doesn't want him to stop doing their
work. We work for the corporate office so he doesn't have much choice/say
over most of this, but he has managed to get corporate to give him
permission to give full administrative rights over the computers and server
at the location to his buddy the "IT Guy"

As I said, the server is a DC and GC (2003 native mode) so I can't justgive
him local admin rights to the server.

What is the best way to give him administrative control over the server, and
user accounts/computer accounts, without compromising security on the rest
of the network? (all objects in AD that pertain to the location are housed
in or under a OU, except for the Server which is obviously in the Domain
Controllers OU, I have already ran the delegate permission wizard in AD for
that OU.)??

Thanks in advance...

Brian

 

[Cary Shultz [A.D. MVP]]

Have you taken a look at the Delegation Wizard?

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Joe Richards [MVP]]

Honestly, I would yank the DC out of that site. You are in a dangerous position.
If you give this person any local admin type accesses (ability to log on
locally, ability to mess with services, ability to write to the file system,
etc) to the DC he has immense power to hurt you. If you don't give him access he
can compromise the DC because he has physical access to it. The reasons behind
it can be to show that you guys shouldn't be running the stuff. It sounds a
little cynical but I have had people contact me with similar issues previously,
that crap happens.

You can not secure against this person. Former should mean, he isn't anywhere
near the location.

joe

 

[Brian Higgins]

at this point that would be my preferred choice, unfortunately that is not
an option here... is there a way i can give him access to AD, from one of
the XP machines that will not severly compromise the network(I have never
had to share the administrative control of a network with someone that
didn't diserve full administrative rights before, so delegation of authority
is new to me)? also, is there any way to give him "user" access to the DC,
so that he can check and do anything in RRAS should a problem occur?

 

[Joe Richards [MVP]]

If you give any interactive access to the DC you might as well give admin to the
domain.

You can definitely give access to an OU to add/remove/modify computers/users.
That is all done through the normal delegation model tools.

joe