Re: Do I need to upgrade my 2000/2003 servers to Active Directory
- From: "Bruce Sanderson" <bsanders@xxxxxxxxx>
- Date: Tue, 26 Apr 2005 22:48:59 -0700
Rather than a child domain, ask for control over an OU for your part of the
organisation. The ability to manage Group Policies for users and computers
in or below that OU can be delegated to you. In a large domain, this is the
usual way of distributing management/administration.
You can then fully manage the computer and user accounts in "your" OU while
still having the benefits of a single corporate domain.
For example in the organisation I work for, the domain has over 20,000 users
and a corresponding number of computers. The support staff in our division
(about 600 users and computers) have been delegated Full Control for our OU
in which we have sub OUs for users, groups, workstations, servers etc. We
can create, edit, and link GPOs to our OU structure as appropriate for our
particula needs. We're quite independent of the Domain administration staff
in this regard.
This works quite well - domain wide policies (e.g. account and password) are
set by the Domain administrators and each division/department can manage the
user accounts for their staff and the computer accounts for their computers.
The OU structure is very flexible - you can add, delete and move OUs and
their contents easily with AD Users and Computers. This is much more useful
than the old NT 4 Domain structure where the norm was to have multiple
Domains with inter-domain Trusts.
--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Bernard" <Bernard@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9D0AFE82-11F8-4958-9EB8-52D41DA0573F@xxxxxxxxxxxxxxxx
> Do I need to upgrade my 2000/2003 servers to Active Directory in order to
> use
> the GPMC tool. I want to create some group policies for me domain. The
> problem is .. I am upgrading my NT 4 domain control to 2003. But I cannot
> upgrade the system to Active Directory due to our corporations plan to
> incorporate all domains into a single domain. I asked to allow me to
> create
> a sub domain name (tree) under their AD but they do not want another AD
> around to be manage. They are not allow the local admnistrator of the
> group
> permission to access objects directly due to a "trust" issue. They are
> recommending using local machine policies instead on the XP machines. Do
> you
> have any suggestions about managing user objects without AD.
>
> --
> Bernard
.
- References:
- Prev by Date: Re: Set wallpaper with GPO
- Next by Date: Re: how to create domain policy to restrict users ???
- Previous by thread: Re: Do I need to upgrade my 2000/2003 servers to Active Directory
- Next by thread: custom SNMP ADM
- Index(es):
Relevant Pages
|
