In general, I'd say not to do it at all, although there is no *technical* reason it can't be done - at least none of which I which I am aware.
I have 3 accounts (ok, 4 if you count my Unix ID) which I use: -General User account -Production Domain admin account -Root Domain admin account It is probably a little bit of overkill to have 2 different admin accounts, rather than one, but the reality is that I rarely need to log in as the root admin account. Since that account also has Enterprise and Schema admin priviledges, I find it a bit too powerful to use day to day for admin work. The other piece of the puzzle is that you created an empty root for the reason of separating administration from the main (I call it production) domain. Why undo that by creating cross domain delegation of adminisatrative rights? Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Graham Turner [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 28, 2003 9:36 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] delegation of root domain admin > > > apologies if i have already posted here, but this still > remains on my issue log > > would very much like to be able to get information on > strategies for the delegation of site / subnet administration > (on foreest root DC's) to child domain security principals > > Thanks > > GT > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
