'Restrict' International/Site Domain Admins

R

Rubin Farr

Hello All,

We are in the process of planning for AD deployment. We plan to simply do an
inplace upgrade as we only have about 300 users in the US and our maximum
international site would only have about 25 users

--basically a flat domain for ease of admin and $$.

I am trying to figure out how I give a user the equivalent of a domain admin
but ONLY FOR HIS/HER SITE and all respective user and machine accounts. We
dont want him/her touching any of our machines or accounts.

Is this possible or would I have to get into parent/child domains or domain
trusts? (Domain name would be similar or the same since it is the same
company) I am trying to keep things as simple and as low cost as possible.

I have heard domain trusts can get complicated, even in AD. Anyone care to
comment?

If I did parent/child domains, would we need additional domain controllers
at our main headquarters as well as the respective sites to support the
domains?

Hopefully the above does not sound too ignorant--I have done as much
research as possible before asking ;))
 
S

Scott Harding - MS MVP

You right, Trusts can be a pain but they certainly work much better with
Win2k. You could use a parent /child relationship and make them domain
admins only for their domain and you could be the Enterprise admin for all
domains. There would be no trusts in this scenario to manage as they are
created automatically because of the child domain. This should accomplish
what your after but you would need some DC's at the remote sites for the
child domain. You could also have just one domain and create Organizational
Units that they have control over and put all of their users and computers
into these OU's and use the delgation of authority wizard to only grant them
control of their OU. I think that would be a little easier as you will not
need specific machines to be DC's for the child domains.

--
Scott Harding
MCSE, MCSA, A+, Network+
Microsoft MVP - Windows NT Server

scrockel@***No_SPAM***hotmail.com
 
R

Rubin Farr

Great idea! forgot all about that tool (been a while since mcse class ;)) I
would like the 'site' admin to be able to logon locally on to the dc and a
few member servers in the site for maintenance...essentially like a domain
admin, but i suppose for just that one OU.

thanks for the insight!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Access to Trusted Domain Resources and Scanning 5
Domain consolidation and decommission child domain in ActiveDirectory Windows Server 2003 3
AD design question....again 4
Child Domain Authentication 1
domain admin group of parent domain is NOT a member domain admin g 4
Child Domain Security 2
Multi forest and Citrix farm 1
Parent/Child domain accounts and Exchange. 7

Top