Then my recommendation is to keep it real simple and you should be fine.
Case in point.
Create a OU Structure for your organization. I recommend the following.
AD
-Dep/Org
-Computers
-Groups
-OPs
- Servers
- Accounts
- Groups
-Users
Groups
The Domain Admins = Directory Administrators and they manage the entire
domain.
Create a Data Administrators group for each delegation. In the Ops
container block inheritance and give only the data admiins access to it.
This way you can block some access within the directory.
Create a Global Group for Each Org OU Users that way you can limit access to
workstation and server resources per delegation.
Don't get fancy or bushy. It can cause issues.
Todd
-----Original Message-----
From: Ayers, Diane [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 03, 2002 10:45 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active Dir Permissions tool
I'm not clear on what you mean by "view". Third party tools can provide
specialized "views" into AD but that's my problem. For the short term at
lest, I'm stuck with the native tools.
Diane
-----Original Message-----
From: Myrick, Todd (CIT) [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 03, 2002 6:43 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Active Dir Permissions tool
Well "Native" Delegation requires that you use some complex models to allow
people to "See" and "Administer" their OUs. I would prefer creating a view
and delegating control within the view. The "managed" view then only allows
the Admin to see and interact with what they control. It is kind of hard to
do that in the native delegation.
Todd
-----Original Message-----
From: Rick Kingslan [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 03, 2002 9:03 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Active Dir Permissions tool
Todd,
> I would stay away from data administration delegation, (OU Level
> security) or keep it real basic.
Just curious - what is your objection to delegation? Like I said - just
curious, and what are your suggestions to make it better?
Thanks for the input!
Rick Kingslan - Microsoft MVP [Windows NT/2000]
Microsoft Certified Trainer
MCSA, MCSE+I - Windows NT / 2000
"Any sufficiently advanced technology
is indistinguishable from magic."
--- Arthur C. Clarke
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of
> Myrick, Todd (CIT)
> Sent: Tuesday, July 02, 2002 9:59 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] Active Dir Permissions tool
>
>
> Hyena 4.2 is pretty good for directory level administration and admin.
> $100.00 to $200.00
>
> I would stay away from data administration delegation, (OU Level
> security) or keep it real basic.
> (I like Aelita's EDM personally for delegation)
>
> Also NetPro's Directory Troubleshooter is a great diagnostic tool.
> $500 - $2000.00
>
> NetIQ Appmanager is a good proactive Monitoring tool, $1000.00 per
> server and $1000.00 per DC. While you are there pick up ADCheck...
> The free utility.
>
> Aelita ERDisk for AD is a really important tool to have for object
> level restores and backups.
>
> Just my 2 Cents.
>
> Todd
>
> -----Original Message-----
> From: Ayers, Diane [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 02, 2002 5:09 PM
> To: '[EMAIL PROTECTED]'
> Subject: [ActiveDir] Active Dir Permissions tool
>
>
> All:
>
> Due circumstances beyond my control all my budget to purchase some AD
> management tools was zeroed out. I had identified a couple
> of "enterprise
> level" tools that I was in the process of acquiring when some internal
> budget issues prevent me from consummating the deal. Now I'm left to
> looking for some "low end" tools (translation: inexpensive) that might
> help in simplifying managing security entries in AD a fairly complex
> administrative model.
>
> If any one has any suggestions, I'm all ears.
>
> Diane
>
> PS: yea, and I'm really pissed off too...
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
> List info :
> http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%> 40mail.activedir.org/
>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
