Multiple administrators, Site Administrators

E

Edwyn

We have a single Windows 2000 domain with 10 sites worldwide,
according the Branch Office model. Some of these bigger sides do have
there own local administrators. We don't want that the account
Administrator is used by everybody and we don't want the local
administrators in the group Domain Admins, the idea is that we all use
our own account with restricted rights for daily operations and the
Administrator account is save and put away. This way nobody can alter
the domain by excident.

This is what we did so far in our test domain;
To give every local administrator rights to manage his part of the AD
and his servers we've create a group Site Administartors. In this
group we've added the local administrators e.g. countryadmin. In Users
and Computers we've create OU's per site and gave the counrtyadmin
with Delagation of Control all rights in his OU. Next we've add the
Site Administrators to the group Account Operations, so he is able to
create/move/delete users and groups etc. The counrtyadmins are added
to the security tab in Terminal Services and the group Site
Administrators is added to Local Administrators on workstations and
member servers.

But the problems happen with the DC's. No local admins, so a
counrtyadmin can't run run even simple tasks like diskkeeper etc. and
we do have DC's with multiple tasks, like DNS, WINS, DHCP, mail server
and file server.

Any idea's? Does anyone know of a whitepaper or any document about
delecated administrators?
 
C

Chriss3

You are on right way. How ever note that the Built in Groups such Account
Operators , DHCP Administrators are domain wide and give threes members
rights to there services in the whole domain. Take a look at the article
below.

Step-by-Step Guide to Using the Delegation of Control Wizard:
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/delegsteps.asp

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top