I think its part of Enterprise Admins, but I'm not 100% sure. And part of the client's requirements should be that you suggest the correct solution, not necessarily what they want.
Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Graham Turner [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 28, 2003 1:44 PM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] delegation of root domain admin > > > Roger i wont diasgree with a word u say !! > > am trying to accommodate the administrative requirement of the client > > can you remind me what permissions (group membership) are > required for sites / subnet administration > > GT > > ----- Original Message ----- > From: "Roger Seielstad" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, May 28, 2003 6:34 PM > Subject: RE: [ActiveDir] delegation of root domain admin > > > > Lord no - I wouldn't trust sites and subnet changes to lower level > > admins. One bad change and an entire site (or sites) lose > replication. > > > > Also, even considering that I've worked for two fairly fast > paced and > > very dynamic companies, post-deployment I rarely make changes to > > either. In > fact, > > I have made exactly two changes in the last 12 months, both > supporting > > office moves. > > > > Keep in mind what modifying each of these items actually > represents - > you're > > affecting a number of areas of AD other than just which domain > > controllers are used for authentication. You're affecting > replication > > topology, group policy application, and a number of other factors. > > > > Personally, I don't think any of the administration relegated to a > > root domain within an empty root style forest should be > done by junior > > admins. Especially unsupervised. > > > > Roger > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP > > Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, May 28, 2003 12:58 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [ActiveDir] delegation of root domain admin > > > > > > > > > Roger, I thank your post reply. > > > > > > it would seem what i am trying to separate here is the > admin of the > > > sites / subnets - a generally low impact change - from > that of the > > > rest of the forest root. > > > > > > not sure of the default permissions to administer sites / > subnets - > > > but i would guess under default ACL's needs to be fairly highly > > > privilged ?? > > > > > > i would agree with totally seperate accounts for schema admin . > > > > > > but not necessarily sites and subnets which is a much > more frequent > > > occurrence and generally assigned to a more junior > administrator and > > > by corollary should not be assigned a privileged account. > > > > > > GT > > > > > > ----- Original Message ----- > > > From: "Roger Seielstad" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Wednesday, May 28, 2003 5:12 PM > > > Subject: RE: [ActiveDir] delegation of root domain admin > > > > > > > > > > In general, I'd say not to do it at all, although there is no > > > > *technical* reason it can't be done - at least none of > > > which I which I > > > > am aware. > > > > > > > > I have 3 accounts (ok, 4 if you count my Unix ID) which I use: > > > > -General User account -Production Domain admin account -Root > > > > Domain admin account > > > > > > > > It is probably a little bit of overkill to have 2 > different admin > > > accounts, > > > > rather than one, but the reality is that I rarely need > to log in > > > > as the > > > root > > > > admin account. Since that account also has Enterprise and > > > Schema admin > > > > priviledges, I find it a bit too powerful to use day to day > > > for admin > > > work. > > > > > > > > The other piece of the puzzle is that you created an empty root > > > > for the reason of separating administration from the > main (I call > > > > it > > > > production) domain. Why undo that by creating cross domain > > > delegation > > > > of > > > adminisatrative > > > > rights? > > > > > > > > Roger > > > > -------------------------------------------------------------- > > > > Roger D. Seielstad - MTS MCSE MS-MVP > > > > Sr. Systems Administrator > > > > Inovis Inc. > > > > > > > > > > > > > -----Original Message----- > > > > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > > > > Sent: Wednesday, May 28, 2003 9:36 AM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: [ActiveDir] delegation of root domain admin > > > > > > > > > > > > > > > apologies if i have already posted here, but this still > > > remains on > > > > > my issue log > > > > > > > > > > would very much like to be able to get information on > > > strategies for > > > > > the delegation of site / subnet administration (on > foreest root > > > > > DC's) to child domain security principals > > > > > > > > > > Thanks > > > > > > > > > > GT > > > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
