Roger, I thank your post reply. it would seem what i am trying to separate here is the admin of the sites / subnets - a generally low impact change - from that of the rest of the forest root.
not sure of the default permissions to administer sites / subnets - but i would guess under default ACL's needs to be fairly highly privilged ?? i would agree with totally seperate accounts for schema admin . but not necessarily sites and subnets which is a much more frequent occurrence and generally assigned to a more junior administrator and by corollary should not be assigned a privileged account. GT ----- Original Message ----- From: "Roger Seielstad" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 28, 2003 5:12 PM Subject: RE: [ActiveDir] delegation of root domain admin > In general, I'd say not to do it at all, although there is no *technical* > reason it can't be done - at least none of which I which I am aware. > > I have 3 accounts (ok, 4 if you count my Unix ID) which I use: > -General User account > -Production Domain admin account > -Root Domain admin account > > It is probably a little bit of overkill to have 2 different admin accounts, > rather than one, but the reality is that I rarely need to log in as the root > admin account. Since that account also has Enterprise and Schema admin > priviledges, I find it a bit too powerful to use day to day for admin work. > > The other piece of the puzzle is that you created an empty root for the > reason of separating administration from the main (I call it production) > domain. Why undo that by creating cross domain delegation of adminisatrative > rights? > > Roger > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, May 28, 2003 9:36 AM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] delegation of root domain admin > > > > > > apologies if i have already posted here, but this still > > remains on my issue log > > > > would very much like to be able to get information on > > strategies for the delegation of site / subnet administration > > (on foreest root DC's) to child domain security principals > > > > Thanks > > > > GT > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
