General discussion

Locked

Delegation of Domain Admin rights

By sirak@bits ·
I work for a very large organization and we are in the process of planning W2K migration from NT4.0. Our present domain structure has over a hundred domains due to politics as well as the need to have local admins have full power to administer their local domains. Once we move to Active directory we want to collapse the present domain and limit it just one or two but still give the local admin power over their OU but also able to do some functions on the local located domain controllers, likeapply service packs, install software etc. We don't want to make them full domain admins. So is there a way to make the domain admins rights more granular.

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Delegation of Domain Admin rights

by timwalsh In reply to Delegation of Domain Admi ...

The short answer is yes. Win2K (and AD) is much more granular in the level of control you can delegate. This is one of the primary reasons OUs exist in Win2K. What you would do is create new administrator groups for each OU and through the Delegation of Control Wizard, specify exactly what permissions you want to assign.

Collapse -

Delegation of Domain Admin rights

by sirak@bits In reply to Delegation of Domain Admi ...

Poster rated this answer

Collapse -

Delegation of Domain Admin rights

by kdrungilas In reply to Delegation of Domain Admi ...

Yes, there is. My first piece of advice is to plan, plan, plan! There are several ways to define security and control. Policy settings and permissions can be defined at the site or domain levels or trees and can use inheritance of permissions andyou can explicitly assign permissions.
The easiest way is to use Delegation of Control Wizard to:
*Delegate permissions to change properties on a particular container
*Delegate permissions to create and delete objects of a specific type under an OU (like users, computers, groups, printers)
*Delegate permissions to update specific properties on objects of a specific type under an OU (like setting passwords)
In Active Directory Users and Computers there is a Delegation of Control Wizard which steps you through the process of granting granular rights. Once you have migrated your PDC and created your Organizational Units, you can drill down to the site, domain org. unit or container for which you want to grant control. Right-click on it and choose "Delegation Wizard".

The thing to remember is to plan and ask a lot of 'what if..." type questions before proceeding with a delegation plan.

Collapse -

Delegation of Domain Admin rights

by sirak@bits In reply to Delegation of Domain Admi ...

Poster rated this answer

Collapse -

Delegation of Domain Admin rights

by MaximK In reply to Delegation of Domain Admi ...

Actually, I think there is no way to accomplish this. The moment you give people control over a physical Domain Controller box and give them rights to install system software, you might as well make them Domain Administrators. Thinks about it, they can install (hidden) malicious services while performing the Service Pack update...
In my opinion, you need to tightly control your Domain Controllers as well as the people that manage them. Most software installations can be scripted and distributed using some tool like Microsoft Systems Management Server. This way you don't need to provide people with the ability to install system software. If you also control physical access to these Domain Controllers, you should be fine.
The other option is to create multiple forests or expand your Domain Administrators team.

Collapse -

Delegation of Domain Admin rights

by sirak@bits In reply to Delegation of Domain Admi ...

Thanks I thought so also. I was hopping that there was something I missed.

Collapse -

Delegation of Domain Admin rights

by sirak@bits In reply to Delegation of Domain Admi ...

This question was closed by the author

Back to Windows Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums