Re: Delegating control to sites

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

A few things:
1) If you don't already have them, create OU's for each administrative unit
that the ex-domain admins will be responsible for. Then you can create
policies that apply to that specific unit.
2) At each OU, delegate what you want them to do
3) Don't edit the default domain policy (unless there is something very
specific you are trying to achieve across the whole domain)
4) Use Restricted Groups to make them members of whatever local groups you
want on the servers.
5) Use groups, not individuals, so you don't have to do it all again if
someone leaves or moves (e.g AdminsSite1)
6) They will bitch and moan that they can't do their job unless they have
domain admin rights. You need to document what they should be able to do,
and make sure they can do it. For example, if a new server joins the domain
it will be created by default in the Computer OU, or another OU you have
selected. They need the rights to move it from there to their OU, or else
you need to have someone on hand to do it when they need. Other examples:
can they administer DHCP on their site? Can they create aliases in DNS? Can
they shutdown and backup a domain controller?
7) Work out who the backup domain admins are when you are away
Lots of things to get right, but definitely the right way to go,
Anthony




"Enterprise Admin" <EnterpriseAdmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:CC498ABE-A87F-4224-A860-3FA8344FB59A@xxxxxxxxxxxxxxxx
I have domain admins in my organization. They are each located in a
different
site. I want to remove them from Domain Admins and delegate control over
their respective site. They handle all administrative tasks at their site.
I
know Microsoft says this works but I just need to be sure because I have
never done this before. I will edit the default domain policy to help
grant
them the neccessary permissions, add them to the administrators group on
the
file and print servers, and use the wizard to delegate control in Sites
and
Services. I will not create any aditional domains. Will they still be
able
to do their jobs?
Why? Because I don't want one of them, especially new hires and the lower
skilled admins, to be able to bring down our network/AD accidentally.
Thank You


.

Relevant Pages

  • User/Group Administration
    ... starting to make use of dedicated groups to administer the ... Desktop Support Admins, Hardware Admins, that ... via a deskside visit or via connecting in the MMC ... (high TCO), I was wondering if anyone had a cool script ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Domain Admin Share
    ... I believe that only the NT Domain Admins have that right by default. ... This posting is provided "AS IS" with no warranties, and confers no rights. ... Now I can administer the NT Domain but I still ... Domain Admins group to the NT Domain Admins group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: webbased email administration
    ... We're considering setting up an email service here and we need to give IT ... admins in various companies the ability to administer their own email ...
    (freebsd-questions)
  • NT Domain and 2003 AD conversion
    ... I am taking a NT4 Domain group of admins, adding them to the 2003 AD ... I want to give these admins the permissions to administer their ... Should I first create an OU for the small group of users domain and ...
    (microsoft.public.windows.server.setup)
  • Remove Domain Admins ability from "Delegation Of Control"
    ... I was just wondering whether it is possible to remove the Domain Admins ... group the ability to Delegate Control in active directory and allow ... Then i plan on removing the the Read Members, ... "Restricted Group Admins" or similar and give it permission to ...
    (microsoft.public.win2000.active_directory)