|
Posted by Joe Richards [MVP] on April 28, 2006, 10:10 am
If you were Registered and logged in, you could reply and use other advanced thread options
were with the child domains and protecting your HQ. You just didn't understand
how Windows works. Had a child DA wanted to take over your HQ domain it wouldn't
have been a lot of work for them to do so. The domain is not a security boundary
in an AD forest.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Roger Abell [MVP] wrote:
> I do not know about a "template", and things quickly get quite
> situational anyway, but in general what you need to look at is
> using delegation. There are a few pre-supplied choices in the
> delegation of control wizard and other delegations that can be
> accomplished by drill into the details. I would suggest that you
> define a group for each delegation that you make, as otherwise
> answering the question "what is delegated over what and to whom"
> is not simple (ex. use a naming convention for your groups that
> assist you in answering that question and delegate to the group).
>
> Now, pretty much everything you mentioned can be done with
> delegation, for example at the OU root for remote site A, if the
> computers and users of that remote site are somewhere within
> that OU structure.
>
> Where you will have difficulties is with management of the DCs.
> Granting admin or server operator to make changes to the DCs
> would grant that ability on all DCs. What you likely need to do
> is inventory all actions that need to be supported, and then for
> each devise a way to get these done, whether centrally under
> control by the domain admins or with short-term enabled accts
> and time coordinated actions by person at remote, or . . .
>
>> We are a company with 7 remote campuses, each with their own on-site IT
>> person. Mainly these people do things like desktop support, set up file
>> shares and manage thier campuses users, computers and local servers
>> (DC's).
>>
>> Previously, each campus was their own child domain, so each one could be a
>> domain admin, and not have to worry about them having access to sensitve
>> material back at the corporate HQ. However, we recently collapsed all
>> those
>> child domains into the parent domain (easier management of resources and
>> people from the HQ).
>>
>> Since the collapse, all the problems with management due to the child
>> domains went away, but the sole nagging problems is that hte local campus
>> admins no longer have rights to manage their users or servers. Is there a
>> suggested template for something like this, or third party software or
>> something that would help me figure out how to set permissions for these
>> folks?
>>
>> Any suggestions welcome.
>
>
| 
XML site map