Don't give them Schema Admin or Enterprise Admin rights. They will be unable to muck with anything at the enterprise level. If they corrupt their own Domain partition you can restore it or make them start from scratch.
Chris Green -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andy Grafton Sent: Wednesday, March 06, 2002 9:03 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Development Domain We have Developers. They are Evil Beasts who like to mangle anything they can. They can kill any system with one line of code, from 50 paces, at the most unfortunate time imagineable. Our corporate domain (say co.int) is a beautiful Active Directory thing with a single root and sites spread across Scandinavia. The Evil Beasts have their own, separate NT4 domains which they persecute - one on each site. They don't develop in the corporate domain. Not that we know of... Now they are howling for Exchange 2000, live Active Directory with different sites, the ability to test their code against MS LDAP rather than faithful Unix. To encourage the sharing of resources between sites we shall set up an AD domain just for them. The question has arisen: Do we give them their own domain, with separate root (say dev.int), or give them a child domain in our corporate tree (say dev.co.int)? As far as I am aware, there is one Exchange Organisation and one AD database per tree. If the developers in dev.co.int kill something fundamental [not just a server in the child domain], there will be an impact on the parent domain co.int. Is this correct? I'm all for making them a separate root from a keep-their-hands-off-my-infrastructure prespective, but colleagues argue that we will be better served by and integrated with the corporate domain (where they are logging in, most often) if we go with the parent-child scenario. Does anyone out there have experience of this sort of thing? Are parent and child domains separated enough that the corruption of a child domain would not affect the parent? As I write this, I feel that I already know the answer, but I have to be sure before I argue my point... All the best, Andy List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
