RE: [ActiveDir] OU Delegation

[Gil Kirkpatrick]

>>when the GPO guys screwed up on the main account domains.  The locked down EVERY single userid to kiosk mode   Most people mitigate this sort of risk by technical review, automating the change app lication, and testing in a separate test forest.  I can't see creating a separate domain as a "safe haven" for screwups like that. And it doesn't provide a safe haven from lots of other potential screwups like replication topology changes or schema mods.   -gil   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 19, 2006 11:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation Exactly. There are good reasons for and against both multiple domains (including empty) and multiple forests. As a safe haven from domain level GPOs or final QA point for domain level modifications are things I wouldn't push against. Does it make sense for everyone? Depends on your management structure and concerns - some will see that as an issue that could impact them, others could see it as nothing. As a security barrier to protect hacking of the enterprise/schema admin is one I would push against because it doesn't actually do anything to help that. Organization of the forest is one that could easily go either way, tough to argue it as it really isn't technically based. In larger multidomain environments, I tend to like empty roots because the overhead is usually quite minimal in relation to everything else and it is a great place to deploy new patches, etc.     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 19, 2006 9:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation <candid=on> As we've heard before today - do a cost/benefit study.   Is it really prudent to build an extra domain with the incurred over heads just in case someone makes a mistake? There are doubtless other mistakes which can only mitigated by building a separate forest.   There may be good reasons (and bad ones too) for building a placeholder domain - these reasons need to be weighed against the incurred costs (over at least a 3 year period). <candid=off>   neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: 19 January 2006 14:37 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation "The biggest thing about an empty forest root is it is a safe haven.  Safe haven: A domain where the god rights live and you don't apply any gpo's or other things that can get out of hand and hurt you.  This actually saved my a__ once at [deleted] when the GPO guys screwed up on the main account domains.  The locked down EVERY single userid to kiosk mode.  Fortunately they have no rights in the root domain so couldn't do anything to my IDs so I could log onto my PC with the forest root ID and undo what they did."   Verbatim quote from one of the top [I mean "REALLY TOP] AD guys on this list to me in an offline when I asked him about whether or not I should do an empty root.  I did it.   RH _________________________________________________________   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joe Sent: Wednesday, January 18, 2006 8:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation Well I didn't say I don't see the benefit of an empty root. I just don't see it as a generic best practice. Sometimes it makes a ton of sense, sometimes someone needs to be slapped for bringing it up. ;o)       joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 5:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation Boy, I just had a consultant recommend an empty root “as best practice” for a divestiture we’re doing.  Like Gil and Joe, I really don’t see the benefit (nor could the consultant name anything specifically).   We have a single domain and delegate OU rights based basically on an administrative team’s need to manage a group of resources, typically computers.  Users, groups and Exchange are managed centrally.  Moving things around within one domain is a whole lot easier than among domains.   AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, January 12, 2006 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation   As joe says, "it depends". AD architecture is always a cost/benefit discussion, and most people don't really understand 1) the real benefits of multiple domains, and 2) the additional costs of running multiple domains.   For instance, "additional security" is often cited as a benefit of an empty root. An empty root maybe provides a little additional security, but not much. The benefit depends on your own risk evaluation.   On the other hand, the ongoing operational cost of a two domain forest is considerably higher than a single domain forest. Additional hardware costs, additional diagnostic complexity, and a more complicated DR situation all add to the costs of running multiple domains.   My general recommendation is to stick with a single domain if you can, and add additional domains if you need to for password policy or controlling replication traffic. And if you find you have to have multiple domains anyway, use an empty root, because the incremental cost of an additional domain if you already have more than one is pretty small.   But, "it depends".   -gil   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 9:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation Ah good ol best practices. :)   What is recommended? Whatever is best for the customer of course.   I guess my question is why one domain and one root versus just one domain? What is the purpose of the root? I am not saying this is bad by any stretch, there are good valid reasons for a root with other domains hanging off of it. Just curious what the decision flow was like to do it. Hopefully it wasn't something along the lines of reading "an empty root" is good somewhere and going for it as it is totally context sensitive.   I would say the overall design goal, especially when Exchange is involved is to use a single domain forest. However, if there is a good reason to add more domains, do it. Usually when someone says they have a domain and a root they mean they have a domain and an EMPTY root and I wonder about how the decision was arrived at.   We have had this discussion previously on the list where some people are gung ho empty root and some people are gung ho no-empty root and both pointing at best practices. I am more of the does it make sense in this specific situation kind of person.     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, January 12, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation Well, I just thought it would be best practice to consolidate multiple domains to one.  What’s recommended?   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, January 11, 2006 7:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OU Delegation   You want to look at a couple of main points   1. How do you plan to delegate the permisisons, I.E. the groupings of machines, users, etc. 2. How do you play to do GPOs if at all. 3. How is the administration really going to work. For instance, if you use a provisioning system for managing users (highly recommended) you don't generally want to delegate those to local OU admins but instead keep them in a main OU that the provisioning system only has control to.   Why one domain and one root domain? I am not arguing one way or the other, just curious for the reasoning.         From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, January 11, 2006 4:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OU Delegation We’re in the process of consolidating 21 child domains into just one and one root.  We want to separate the divisions (domains) into different OUs.  Is there a guide or best practice out there on delegating admin permissions on OUs?  Also, we’ve got Exchange permissions to deal with too.   Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469   __________________________________ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.