Re: Branch Office DC Best Practice
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Tue, 20 Jun 2006 23:24:04 +0100
we are not talking about make the office admins "Administrators" of the DCs,
we are talking about give to some office admins control over their office
DCs only.
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:Om6gcYLlGHA.836@xxxxxxxxxxxxxxxxxxxxxxx
Create a separate OU for each office DC, and delegate controlseparately. (Link Doman controllers Policy to that OU)
you cannot make someone admin only one DC while not giving access to other
DCs...
what I mean is: either he gives access to ALL DCs or none
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:O80OcOLlGHA.4508@xxxxxxxxxxxxxxxxxxxxxxx
won't work. it is all or nothing... and as for DCs it is better
"NOTHING" for regular users/admins
???
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:%23iLijrKlGHA.4180@xxxxxxxxxxxxxxxxxxxxxxx
won't work. it is all or nothing... and as for DCs it is better
"NOTHING" for regular users/admins
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:OXPC$SIlGHA.1936@xxxxxxxxxxxxxxxxxxxxxxx
Hi
- I' assuming that you have only one domain, and several sites
In line
I do not want them all to be Domain Admins.
Good point. MAKE Sure you Don't, that's why Microsoft Designed
Delegation of control.
Heres what I was thinking...
1) Create an OU for each Office and a group for each set of techs
- Make sure that you create the security group in a OU at the same
level as other Office OUs, this prevents members of that group from
give permissions to itself.
- Depending of your needs, generally you should create sub OUs to
Servers, Workstations and Servers.
2)Delegate Control on the OU for each office giving the techs full
control
Ok, don't forget, the Group must be in a different OU at the same level
as the others.
3)Create gpo setting restricted groups so that local admins includes,
Domain Admins, the local tech group and Administrator and link to the
OU.
- Sounds good.
So far I think that covers everything except the DC at the site. They
need to be able to do backups and server maintenance. But if I add
each group to the local Server admins for the domain they will have
permission on all DC's
- Create a separate OU for each office DC, and delegate control
separately. (Link Doman controllers Policy to that OU)
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
<kessenj@xxxxxxx> wrote in message
news:1150814476.716569.295500@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
We have several branch offices. Each office has a tech group and
several servers, including a DC.
I want the local tech group to have full control of everything at
thier
own site (including user accounts, groups and computer accounts), but
as little as possible in anyone elses.
I do not want them all to be Domain Admins.
Heres what I was thinking...
1) Create an OU for each Office and a group for each set of techs
2)Delegate Control on the OU for each office giving the techs full
control
3)Create gpo setting restricted groups so that local admins includes,
Domain Admins, the local tech group and Administrator and link to the
OU.
So far I think that covers everything except the DC at the site. They
need to be able to do backups and server maintenance. But if I add
each group to the local Server admins for the domain they will have
permission on all DC's
Any thoughts??
.
- Follow-Ups:
- Re: Branch Office DC Best Practice
- From: Jorge de Almeida Pinto [MVP]
- Re: Branch Office DC Best Practice
- References:
- Branch Office DC Best Practice
- From: kessenj
- Re: Branch Office DC Best Practice
- From: Jorge Silva
- Re: Branch Office DC Best Practice
- From: Jorge de Almeida Pinto [MVP]
- Re: Branch Office DC Best Practice
- From: Jorge Silva
- Re: Branch Office DC Best Practice
- From: Jorge de Almeida Pinto [MVP]
- Branch Office DC Best Practice
- Prev by Date: Re: Firewall between DC and member servers
- Next by Date: Re: SSL over Ldap June 2006 Posting
- Previous by thread: Re: Branch Office DC Best Practice
- Next by thread: Re: Branch Office DC Best Practice
- Index(es):
Relevant Pages
|
