Delegation of Domain Admin rights

General discussion

Creator

Topic
December 6, 2001 at 8:45 am #2130333

Delegation of Domain Admin rights

Locked

by sirak@bits · about 20 years, 5 months ago

I work for a very large organization and we are in the process of planning W2K migration from NT4.0. Our present domain structure has over a hundred domains due to politics as well as the need to have local admins have full power to administer their local domains. Once we move to Active directory we want to collapse the present domain and limit it just one or two but still give the local admin power over their OU but also able to do some functions on the local located domain controllers, likeapply service packs, install software etc. We don’t want to make them full domain admins. So is there a way to make the domain admins rights more granular.

This conversation is currently closed to new comments.
Creator

Topic

All Comments

Author

Replies
- December 6, 2001 at 9:28 am #3549650
  
  Delegation of Domain Admin rights
  
  by timwalsh · about 20 years, 5 months ago
  
  In reply to Delegation of Domain Admin rights
  
  The short answer is yes. Win2K (and AD) is much more granular in the level of control you can delegate. This is one of the primary reasons OUs exist in Win2K. What you would do is create new administrator groups for each OU and through the Delegation of Control Wizard, specify exactly what permissions you want to assign.
  - December 10, 2001 at 1:01 am #3549435
    
    Delegation of Domain Admin rights
    
    by sirak@bits · about 20 years, 5 months ago
    
    In reply to Delegation of Domain Admin rights
    
    Poster rated this answer
- December 6, 2001 at 9:36 am #3549648
  
  Delegation of Domain Admin rights
  
  by kdrungilas · about 20 years, 5 months ago
  
  In reply to Delegation of Domain Admin rights
  
  Yes, there is. My first piece of advice is to plan, plan, plan! There are several ways to define security and control. Policy settings and permissions can be defined at the site or domain levels or trees and can use inheritance of permissions andyou can explicitly assign permissions.
  The easiest way is to use Delegation of Control Wizard to:
  *Delegate permissions to change properties on a particular container
  *Delegate permissions to create and delete objects of a specific type under an OU (like users, computers, groups, printers)
  *Delegate permissions to update specific properties on objects of a specific type under an OU (like setting passwords)
  In Active Directory Users and Computers there is a Delegation of Control Wizard which steps you through the process of granting granular rights. Once you have migrated your PDC and created your Organizational Units, you can drill down to the site, domain org. unit or container for which you want to grant control. Right-click on it and choose “Delegation Wizard”.
  
  The thing to remember is to plan and ask a lot of ‘what if…” type questions before proceeding with a delegation plan.
  - December 10, 2001 at 1:01 am #3549436
    
    Delegation of Domain Admin rights
    
    by sirak@bits · about 20 years, 5 months ago
    
    In reply to Delegation of Domain Admin rights
    
    Poster rated this answer
- December 10, 2001 at 2:29 am #3549354
  
  Delegation of Domain Admin rights
  
  by maximk · about 20 years, 5 months ago
  
  In reply to Delegation of Domain Admin rights
  
  Actually, I think there is no way to accomplish this. The moment you give people control over a physical Domain Controller box and give them rights to install system software, you might as well make them Domain Administrators. Thinks about it, they can install (hidden) malicious services while performing the Service Pack update…
  In my opinion, you need to tightly control your Domain Controllers as well as the people that manage them. Most software installations can be scripted and distributed using some tool like Microsoft Systems Management Server. This way you don’t need to provide people with the ability to install system software. If you also control physical access to these Domain Controllers, you should be fine.
  The other option is to create multiple forests or expand your Domain Administrators team.
  - December 10, 2001 at 8:29 am #3549143
    
    Delegation of Domain Admin rights
    
    by sirak@bits · about 20 years, 5 months ago
    
    In reply to Delegation of Domain Admin rights
    
    Thanks I thought so also. I was hopping that there was something I missed.
- December 10, 2001 at 8:29 am #3549142
  
  Delegation of Domain Admin rights
  
  by sirak@bits · about 20 years, 5 months ago
  
  In reply to Delegation of Domain Admin rights
  
  This question was closed by the author
Author

Replies

Viewing 3 reply threads

Start or Search

Start New Discussion

Recruiting an Operations Research Analyst with the right combination of technical expertise and experience will require a comprehensive screening process. This Hiring Kit provides an adjustable framework your business can use to find, recruit and ultimately hire the right person for the job.This hiring kit from TechRepublic Premium includes a job description, sample interview questions ...

The digital transformation required by implementing the industrial Internet of Things (IIoT) is a radical change from business as usual. This quick glossary of 30 terms and concepts relating to IIoT will help you get a handle on what IIoT is and what it can do for your business.. From the glossary’s introduction: While the ...

Procuring software packages for an organization is a complicated process that involves more than just technological knowledge. There are financial and support aspects to consider, proof of concepts to evaluate and vendor negotiations to handle. Navigating through the details of an RFP alone can be challenging, so use TechRepublic Premium’s Software Procurement Policy to establish ...

Windows

General discussion