Re: New Organizational Unit for a new remote office.

You are way beyond my level of expertise, so don't misunderstand me. I just
think that (Yes I agree you are correct on elevation is available for a
intelligent user) you don't want to create a whole bunch of forests for this
type of layout.



--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:%23AvKPG$4GHA.1252@xxxxxxxxxxxxxxxxxxxxxxx
If you are stating that an intelligent domain admin can figure out how to
elevate his privelges

yes, they can.... besides that...everyone with physical access to a DC

Unclear on the capitalization and exclamation point piece of your
conversation.


just making a point....

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:erpoHJ84GHA.512@xxxxxxxxxxxxxxxxxxxxxxx
If you are stating that an intelligent domain admin can figure out how to
elevate his privelges I don't think that is a good reason. If you have
an untrustworthy admin, those privleges need to be revoked and someone
found who can do their job as directed.

Unclear on the capitalization and exclamation point piece of your
conversation.


--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:eq3A5ez4GHA.3452@xxxxxxxxxxxxxxxxxxxxxxx
I'm not going to explain how to, but the message here is:

EVERY DOMAIN ADMIN IN THE FOREST (AND THUS EVERY DOMAIN IN THE FOREST)
MUST BE TRUSTED!!!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:%23GuaW7v4GHA.1252@xxxxxxxxxxxxxxxxxxxxxxx
Hunh???

Are you trying to say that a child domain administrator has full
Enterprise admin rights?

--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in
message news:uyue$Rm4GHA.4560@xxxxxxxxxxxxxxxxxxxxxxx
office under an individual Organizational Unit with it's own
administrators,
domain controllers and e-mail servers.

impossible to acchieve when it concerns the DCs. You cannot delegate
administration of one single DC. Either you administer ALL DCs or you
don't
DCs should be administered by domain admins ONLY!

Additional domains in a forest do not give additional protection when
admins are made child domain admins.

to answer your question you need to know WHAT you want to
delegate.....examples are:
* password resets
* Account unlocks
* computer joins (how to make sure every computer is unique and has
not already been used by other admin)
* creation of groups (how to make sure every computer is unique and
has not already been used by other admin)
* creation of users with/without mailboxes (how to make sure every
computer is unique and has not already been used by other admin)
* Assign mailboxes to existing users
etc
etc
etc

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Peter" <Peter@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:75067972-2E51-429D-8756-A340C80CD720@xxxxxxxxxxxxxxxx
Hi All

We are a single domain environment and we want to have a setup a
remote
office under an individual Organizational Unit with it's own
administrators,
domain controllers and e-mail servers.
Can someone please lead me to any documentations which state the
minimum
setup required if we want to delegate their own administrators to
administrate their own Organizational Unit ONLY ?
i.e. Preperations and setup requirements.

Thanks
Peter













.

Relevant Pages

  • Re: New Organizational Unit for a new remote office.
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ... EVERY DOMAIN ADMIN IN THE FOREST ...
    (microsoft.public.win2000.active_directory)
  • Broken Admini Rights
    ... It might be an "Ownershiop" problem, rather than an Admin ... HOW TO Take Ownership of a File or Folder in Windows XP: ... to "Administrators group" instead of "Object Creator". ... >Apparently my Admin rights are bent or broken. ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: Server access and control
    ... > A local admin on a DC is basically a god in the forest. ... This posting is provided "AS IS" with no warranties, and confers no rights. ... > That's the main difference between administrators and domain admins. ... One of these servers is a DC server. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Giving admins Local Admin to DCs not Domain Admins
    ... out permissions over the whole domain. ... Althought I can give the users PowerUser or LocalLogon rights via ... Can you with Server 2003 give a user just local admin to a DC ... but there's no such thing as local administrators ...
    (microsoft.public.security)
  • Re: New Organizational Unit for a new remote office.
    ... If you are stating that an intelligent domain admin can figure out how to ... This posting is provided "AS IS" with no warranties, and confers no rights. ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ...
    (microsoft.public.win2000.active_directory)