Re: Child Local Administrators

From: "Craig" <Craig.Horsfield@xxxxxxxxx>
Date: 16 Apr 2006 03:22:49 -0700

Hi, sorry to refresh the time stamp on this posting, I was hoping
someone had some experience with the Microsofts Best practice for
delegating Active Directory Service Administration. Can anyone share
the similiar polictical battle when the owner of a Child domain in the
forest weree asking for such elevated rights. Is it safe to delegate
Domain Configuration and DC Administor rights (both of which are
members of the local administrators group in the child) to a seperate
business area without compromising the whole forest? I'm always nervous
becasue with these rights you have access to the child domains DC that
has SYSVOL, access to the file system where the AD database file(s)
etc... The problem is this seperate business area are only accountable
for the child domain not the forest.

I've posted the URL to the MS best practise.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid2.mspx

Craig

.

Follow-Ups:
- Re: Child Local Administrators
  - From: Ulf B . Simon-Weidner [MVP]
- Re: Child Local Administrators
  - From: Craig

References:
- Child Local Administrators
  - From: Craig . Horsfield

Prev by Date: Don't know where all to post this - R2 Upgrade
Next by Date: Re: User Account crashing Explorer?
Previous by thread: Child Local Administrators
Next by thread: Re: Child Local Administrators
Index(es):
- Date
- Thread

Relevant Pages

Re: Can you route Distribution list mail separately?
... limit individuals with rights to the DG to only one. ... staff/faculty and an IPSwitch IMail server in child domain for students. ... I'm curious to know why the spam filter has a problem, ...
(microsoft.public.exchange.admin)
Re: Repair Child DC "In Place"
... If there is a POINT to the child domain then he is wrong. ... If he cannot afford 2 DCs for each domain nor backups he should almost ... first domain in a forest is the Forest Root Domain also. ... This is a very poor practice -- every domain should generally have at ...
(microsoft.public.windows.server.active_directory)
Re: Discovery Problem: forest with two domain
... This posting is provided "AS IS" with no warranties, and confers no rights. ... >> AD in the child domain to read computer objects and containers in order ... >> Stan [MSFT] ...
(microsoft.public.sms.setup)
Re: No Global Address list when trying to send an Email
... Authenticated users should have list contents rights. ... We recently created a child domain inside our corp domain for users in our ... connect to the exchange server to send and receive email when she clicks on ... Do I need to allow users from a child domain permission to view a GAL. ...
(microsoft.public.exchange.admin)
Re: AD -- password policy
... >> in the child domain I've a number of applications that uses a typical ... >> account with domain user rights and in some cases domain admin rights. ... >> applications since the service accounts they run under will be prompted ...
(microsoft.public.win2000.active_directory)