Re: AD Design
- From: "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Mon, 4 May 2009 23:22:46 +0200
if the new admins should NOT have domain admin permissions in your domain, then either use:
(1) put them in their own OU
(2) put them in their own forest
their own domain in the same forest as yours does not help. if they know how they can "elevate" themselves and screw up the forest! the forest is the security boundary, not the domain
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"John McC" <JohnMcC@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:322ED5EA-64EA-4469-B72E-B8ECEDFFB950@xxxxxxxxxxxxxxxx
Hi All,
I hope this sis hte correct place to ask my question.
We have a single forest active directory with two domain trees. We are now
starting another company within the business thousands of mile away from our
company head office. The new business will have its own IT department but
some IT related work will still be done from HQ. The IT team in the remote
office will not need access to any resources in the head office domain. We
also have Exchange 2007 in the head office that will hold the mailboxes for
the users based in the new company office.
My question is what is the best practice for creating a new domain for the
new business?? We don't want the IT team in the new office to have any
control / admin permissions to the network / users etc baised at the head
office.
I was thinking that a new domain in the existing forest would be best. We
can give some members of the IT Team domain admin permissions to the domain
for the remote office but they would not have permissions to the head office
domain unless their accont was added to existing groups or they were
delegated permissions.
Another option I was looking at was to create a new forest but that would
create a new global catalogue / schema etc and increase the complexity of the
network.
I am looking for views and opinions on how others would implement AD in this
situation
Regards
John
__________ Information from ESET Smart Security, version of virus signature database 4052 (20090504) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 4052 (20090504) __________
The message was checked by ESET Smart Security.
http://www.eset.com
.
- Follow-Ups:
- Re: AD Design
- From: uSlackr
- Re: AD Design
- References:
- AD Design
- From: John McC
- AD Design
- Prev by Date: Re: Windows XP Logon Domain Selection Matter
- Next by Date: Re: Windows XP Logon Domain Selection Matter
- Previous by thread: Re: AD Design
- Next by thread: Re: AD Design
- Index(es):
Relevant Pages
|
