Lord no - I wouldn't trust sites and subnet changes to lower level admins. One bad change and an entire site (or sites) lose replication.
Also, even considering that I've worked for two fairly fast paced and very dynamic companies, post-deployment I rarely make changes to either. In fact, I have made exactly two changes in the last 12 months, both supporting office moves. Keep in mind what modifying each of these items actually represents - you're affecting a number of areas of AD other than just which domain controllers are used for authentication. You're affecting replication topology, group policy application, and a number of other factors. Personally, I don't think any of the administration relegated to a root domain within an empty root style forest should be done by junior admins. Especially unsupervised. Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Graham Turner [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 28, 2003 12:58 PM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] delegation of root domain admin > > > Roger, I thank your post reply. > > it would seem what i am trying to separate here is the admin > of the sites / subnets - a generally low impact change - from > that of the rest of the forest root. > > not sure of the default permissions to administer sites / > subnets - but i would guess under default ACL's needs to be > fairly highly privilged ?? > > i would agree with totally seperate accounts for schema admin . > > but not necessarily sites and subnets which is a much more > frequent occurrence and generally assigned to a more junior > administrator and by corollary should not be assigned a > privileged account. > > GT > > ----- Original Message ----- > From: "Roger Seielstad" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, May 28, 2003 5:12 PM > Subject: RE: [ActiveDir] delegation of root domain admin > > > > In general, I'd say not to do it at all, although there is no > > *technical* reason it can't be done - at least none of > which I which I > > am aware. > > > > I have 3 accounts (ok, 4 if you count my Unix ID) which I use: > > -General User account -Production Domain admin account > > -Root Domain admin account > > > > It is probably a little bit of overkill to have 2 different admin > accounts, > > rather than one, but the reality is that I rarely need to log in as > > the > root > > admin account. Since that account also has Enterprise and > Schema admin > > priviledges, I find it a bit too powerful to use day to day > for admin > work. > > > > The other piece of the puzzle is that you created an empty root for > > the reason of separating administration from the main (I call it > > production) domain. Why undo that by creating cross domain > delegation > > of > adminisatrative > > rights? > > > > Roger > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP > > Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, May 28, 2003 9:36 AM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] delegation of root domain admin > > > > > > > > > apologies if i have already posted here, but this still > remains on > > > my issue log > > > > > > would very much like to be able to get information on > strategies for > > > the delegation of site / subnet administration (on foreest root > > > DC's) to child domain security principals > > > > > > Thanks > > > > > > GT > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
