Re: Role based permissions
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Thu, 31 May 2007 17:04:11 -0400
You may want to look at the Active Directory Delegation whitepaper. It is a bit older now and has some issues but would be a good start.
As a simple guide, if you have more than 3-5 domain admins for a single forest, you really have too many DAs. The DAs should be a single group for the entire forest who are responsible for the core functioning of the entire forest - i.e. Service Admins. Folks who deal with computers in the forest (aside from DCs) and users and groups in the forest are data admins and have no need of domain admin rights.
As for specific roles, it depends entirely on what you have set up for your management internally.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Eshprof wrote:
Can anyone recommend a link for guidance in creating role based permissions? Our sys admins have been assigning way too many people the Domain Admins group and we need to create a more sane subset of role based administrative groups..
Thanks.
Eshprof
- Prev by Date: Re: Remove ownership
- Next by Date: Re: Query access for Active Directory
- Previous by thread: AD Domain Member workstation connections reported by netstat
- Index(es):
Relevant Pages
|
