Graham, If you need to delegate specific functional abilities to a non-administrative person, you will need to go to Active Directory Sites and Services -> Sites folder <Rt-Clk> -> Delegate -> Select the user -> Check Site objects and Subnet objects -> select what you want the Jr. Admin to do from there.
This is just a basic overview. There is a lot more to it than this, but this will give you enough to begin testing to see cause / effect. I'd highly recommend that you pick up a copy of "Inside Active Directory" which does the best job that I have seen to date of detailing permissions at the attribute level and how to apply them. This book, with a test server, will really boost anyone's understanding of this elusive topic. Now - my commentary. Roger's right - and, respectfully, Roger's wrong. But, Roger can be both in this case. He correctly says that just because the client wants it, doesn't mean that he should necessarily get it. Unfortunately, he's wrong here, too. If you're getting paid to do a job (as employee or contractor) AND you have explained the risks involved in the decisions that your employer is making AND they have agreed (get it on paper) to ASSUME THE RISK - then do whatever it is that they want. I face this daily - I am asked to do things that are patently wrong and insecure. But, I am told to do it. I ask for an e-mail from my boss or said person's boss (copying my boss) and I do it. Why? Because I am the doer. The other person is assuming the risk. Has there ever been a time when I have been ready to quit over a decision? Yep - but, IMHO, it's much bigger than the risk that is being assumed here. Yep, replication is at risk. Subnet objects are at risk. Life goes on. But, challenge HIPAA or Graham-Leach-Bliley, now we're talking risks I won't assume. Make your own decision, Graham. But, Roger does have a point. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, May 28, 2003 12:44 PM To: [EMAIL PROTECTED] Roger i wont diasgree with a word u say !! am trying to accommodate the administrative requirement of the client can you remind me what permissions (group membership) are required for sites / subnet administration GT ----- Original Message ----- From: "Roger Seielstad" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 28, 2003 6:34 PM Subject: RE: [ActiveDir] delegation of root domain admin > Lord no - I wouldn't trust sites and subnet changes to lower level admins. > One bad change and an entire site (or sites) lose replication. > > Also, even considering that I've worked for two fairly fast paced and > very dynamic companies, post-deployment I rarely make changes to > either. In fact, > I have made exactly two changes in the last 12 months, both supporting > office moves. > > Keep in mind what modifying each of these items actually represents - you're > affecting a number of areas of AD other than just which domain > controllers are used for authentication. You're affecting replication > topology, group policy application, and a number of other factors. > > Personally, I don't think any of the administration relegated to a > root domain within an empty root style forest should be done by junior admins. > Especially unsupervised. > > Roger > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, May 28, 2003 12:58 PM > > To: [EMAIL PROTECTED] > > Subject: Re: [ActiveDir] delegation of root domain admin > > > > > > Roger, I thank your post reply. > > > > it would seem what i am trying to separate here is the admin of the > > sites / subnets - a generally low impact change - from that of the > > rest of the forest root. > > > > not sure of the default permissions to administer sites / subnets - > > but i would guess under default ACL's needs to be fairly highly > > privilged ?? > > > > i would agree with totally seperate accounts for schema admin . > > > > but not necessarily sites and subnets which is a much more frequent > > occurrence and generally assigned to a more junior administrator and > > by corollary should not be assigned a privileged account. > > > > GT > > > > ----- Original Message ----- > > From: "Roger Seielstad" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, May 28, 2003 5:12 PM > > Subject: RE: [ActiveDir] delegation of root domain admin > > > > > > > In general, I'd say not to do it at all, although there is no > > > *technical* reason it can't be done - at least none of > > which I which I > > > am aware. > > > > > > I have 3 accounts (ok, 4 if you count my Unix ID) which I use: > > > -General User account -Production Domain admin account -Root > > > Domain admin account > > > > > > It is probably a little bit of overkill to have 2 different admin > > accounts, > > > rather than one, but the reality is that I rarely need to log in > > > as the > > root > > > admin account. Since that account also has Enterprise and > > Schema admin > > > priviledges, I find it a bit too powerful to use day to day > > for admin > > work. > > > > > > The other piece of the puzzle is that you created an empty root > > > for the reason of separating administration from the main (I call > > > it > > > production) domain. Why undo that by creating cross domain > > delegation > > > of > > adminisatrative > > > rights? > > > > > > Roger > > > -------------------------------------------------------------- > > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > > Inovis Inc. > > > > > > > > > > -----Original Message----- > > > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > > > Sent: Wednesday, May 28, 2003 9:36 AM > > > > To: [EMAIL PROTECTED] > > > > Subject: [ActiveDir] delegation of root domain admin > > > > > > > > > > > > apologies if i have already posted here, but this still > > remains on > > > > my issue log > > > > > > > > would very much like to be able to get information on > > strategies for > > > > the delegation of site / subnet administration (on foreest root > > > > DC's) to child domain security principals > > > > > > > > Thanks > > > > > > > > GT > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
