Roger i wont diasgree with a word u say !! am trying to accommodate the administrative requirement of the client
can you remind me what permissions (group membership) are required for sites / subnet administration GT ----- Original Message ----- From: "Roger Seielstad" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 28, 2003 6:34 PM Subject: RE: [ActiveDir] delegation of root domain admin > Lord no - I wouldn't trust sites and subnet changes to lower level admins. > One bad change and an entire site (or sites) lose replication. > > Also, even considering that I've worked for two fairly fast paced and very > dynamic companies, post-deployment I rarely make changes to either. In fact, > I have made exactly two changes in the last 12 months, both supporting > office moves. > > Keep in mind what modifying each of these items actually represents - you're > affecting a number of areas of AD other than just which domain controllers > are used for authentication. You're affecting replication topology, group > policy application, and a number of other factors. > > Personally, I don't think any of the administration relegated to a root > domain within an empty root style forest should be done by junior admins. > Especially unsupervised. > > Roger > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, May 28, 2003 12:58 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [ActiveDir] delegation of root domain admin > > > > > > Roger, I thank your post reply. > > > > it would seem what i am trying to separate here is the admin > > of the sites / subnets - a generally low impact change - from > > that of the rest of the forest root. > > > > not sure of the default permissions to administer sites / > > subnets - but i would guess under default ACL's needs to be > > fairly highly privilged ?? > > > > i would agree with totally seperate accounts for schema admin . > > > > but not necessarily sites and subnets which is a much more > > frequent occurrence and generally assigned to a more junior > > administrator and by corollary should not be assigned a > > privileged account. > > > > GT > > > > ----- Original Message ----- > > From: "Roger Seielstad" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, May 28, 2003 5:12 PM > > Subject: RE: [ActiveDir] delegation of root domain admin > > > > > > > In general, I'd say not to do it at all, although there is no > > > *technical* reason it can't be done - at least none of > > which I which I > > > am aware. > > > > > > I have 3 accounts (ok, 4 if you count my Unix ID) which I use: > > > -General User account -Production Domain admin account > > > -Root Domain admin account > > > > > > It is probably a little bit of overkill to have 2 different admin > > accounts, > > > rather than one, but the reality is that I rarely need to log in as > > > the > > root > > > admin account. Since that account also has Enterprise and > > Schema admin > > > priviledges, I find it a bit too powerful to use day to day > > for admin > > work. > > > > > > The other piece of the puzzle is that you created an empty root for > > > the reason of separating administration from the main (I call it > > > production) domain. Why undo that by creating cross domain > > delegation > > > of > > adminisatrative > > > rights? > > > > > > Roger > > > -------------------------------------------------------------- > > > Roger D. Seielstad - MTS MCSE MS-MVP > > > Sr. Systems Administrator > > > Inovis Inc. > > > > > > > > > > -----Original Message----- > > > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > > > Sent: Wednesday, May 28, 2003 9:36 AM > > > > To: [EMAIL PROTECTED] > > > > Subject: [ActiveDir] delegation of root domain admin > > > > > > > > > > > > apologies if i have already posted here, but this still > > remains on > > > > my issue log > > > > > > > > would very much like to be able to get information on > > strategies for > > > > the delegation of site / subnet administration (on foreest root > > > > DC's) to child domain security principals > > > > > > > > Thanks > > > > > > > > GT > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
