Roger, Firstly, and most importantly - the act of telling anyone they are wrong, IMHO - is the ultimate sign of respect and trust in intelligence of the other person. You and I both know that this was not an attack (nor did I construe that you took it as such, just to be clear), but a specific way to convey the fact that there are many views possible - all potentially correct, and at the same time - all very incorrect.
It all depends upon WHO is viewing or listening. Bottomline: I do agree with you. I would NEVER allow a Jr. Admin to do any S&S based work. In fact, in my ownAD, I have removed the domain admin SP, added three specific SPs (myself, my boss and his boss - all very good with AD and cognizant of our change process) - and pissed off 8 other admins in the process. My response - tough. Deal with it. You need a site or subnet? Ask. I'll have it done in 10 minutes. However, my ex-consultant side comes out to say once more, that if the risks are communicated, and you sign the letter that I stick into my 'Pearl Harbor' file, I'll assign whatever permissions you want. Can I have that check now? Thanks much.... Oh, and call me when it's REALLY broken - like, tomorrow? >:-> Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, May 28, 2003 5:41 PM To: '[EMAIL PROTECTED]' I'm not sure anyone has told me I'm right and wrong so many times in one sentence before. Well, maybe my wife did... Anyway - yes, you have a valid point, and a lot of the rationale behind how you handle it has to come from what your role is - whether you're hired to do a specific job or if you're hired to architect the solution. If it's the former, Rick is correct - if the latter then I'd push them against it. Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 28, 2003 6:02 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] delegation of root domain admin > > > Graham, > > If you need to delegate specific functional abilities to a > non-administrative person, you will need to go to Active Directory > Sites and Services -> Sites folder <Rt-Clk> -> Delegate -> Select the > user -> Check Site objects and Subnet objects -> select what you want > the Jr. Admin to do from there. > > This is just a basic overview. There is a lot more to it than this, > but this will give you enough to begin testing to see cause / effect. > I'd highly recommend that you pick up a copy of "Inside Active > Directory" which does the best job that I have seen to date of > detailing permissions at the attribute level and how to apply them. > This book, with a test server, will really boost anyone's > understanding of this elusive topic. > > Now - my commentary. Roger's right - and, respectfully, Roger's > wrong. But, Roger can be both in this case. He correctly says that > just because the client wants it, doesn't mean that he should > necessarily get it. > > Unfortunately, he's wrong here, too. If you're getting paid to do a > job (as employee or contractor) AND you have explained the risks > involved in the decisions that your employer is making AND they have > agreed (get it on > paper) to ASSUME THE RISK - then do whatever it is that they want. I > face this daily - I am asked to do things that are patently wrong and > insecure. But, I am told to do it. I ask for an e-mail from my boss > or said person's boss (copying my > boss) and I do it. Why? Because I am the doer. The other person is > assuming the risk. > > Has there ever been a time when I have been ready to quit over a > decision? Yep - but, IMHO, it's much bigger than the risk that is > being assumed here. Yep, replication is at risk. > Subnet objects are at risk. Life goes on. But, challenge HIPAA or > Graham-Leach-Bliley, now we're talking risks I won't assume. > > Make your own decision, Graham. But, Roger does have a point. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner > Sent: Wednesday, May 28, 2003 12:44 PM > To: [EMAIL PROTECTED] > > Roger i wont diasgree with a word u say !! > > am trying to accommodate the administrative requirement of the client > > can you remind me what permissions (group membership) are required for > sites / subnet administration > > GT > > ----- Original Message ----- > From: "Roger Seielstad" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, May 28, 2003 6:34 PM > Subject: RE: [ActiveDir] delegation of root domain admin > > > > Lord no - I wouldn't trust sites and subnet changes to lower level > > admins. One bad change and an entire site (or sites) lose > replication. > > > > Also, even considering that I've worked for two fairly fast > paced and > > very dynamic companies, post-deployment I rarely make changes to > > either. In > fact, > > I have made exactly two changes in the last 12 months, both > supporting > > office moves. > > > > Keep in mind what modifying each of these items actually > represents - > you're > > affecting a number of areas of AD other than just which domain > > controllers are used for authentication. You're affecting > replication > > topology, group policy application, and a number of other factors. > > > > Personally, I don't think any of the administration relegated to a > > root domain within an empty root style forest should be > done by junior > admins. > > Especially unsupervised. > > > > Roger > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, May 28, 2003 12:58 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [ActiveDir] delegation of root domain admin > > > > > > > > > Roger, I thank your post reply. > > > > > > it would seem what i am trying to separate here is the > admin of the > > > sites / subnets - a generally low impact change - from > that of the > > > rest of the forest root. > > > > > > not sure of the default permissions to administer sites / > subnets - > > > but i would guess under default ACL's needs to be fairly highly > > > privilged ?? > > > > > > i would agree with totally seperate accounts for schema admin . > > > > > > but not necessarily sites and subnets which is a much > more frequent > > > occurrence and generally assigned to a more junior > administrator and > > > by corollary should not be assigned a privileged account. > > > > > > GT > > > > > > ----- Original Message ----- > > > From: "Roger Seielstad" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Wednesday, May 28, 2003 5:12 PM > > > Subject: RE: [ActiveDir] delegation of root domain admin > > > > > > > > > > In general, I'd say not to do it at all, although there is no > > > > *technical* reason it can't be done - at least none of > > > which I which I > > > > am aware. > > > > > > > > I have 3 accounts (ok, 4 if you count my Unix ID) which I use: > > > > -General User account -Production Domain admin account -Root > > > > Domain admin account > > > > > > > > It is probably a little bit of overkill to have 2 > different admin > > > accounts, > > > > rather than one, but the reality is that I rarely need to log in > > > > as the > > > root > > > > admin account. Since that account also has Enterprise and > > > Schema admin > > > > priviledges, I find it a bit too powerful to use day to day > > > for admin > > > work. > > > > > > > > The other piece of the puzzle is that you created an empty root > > > > for the reason of separating administration from the > main (I call > > > > it > > > > production) domain. Why undo that by creating cross domain > > > delegation > > > > of > > > adminisatrative > > > > rights? > > > > > > > > Roger > > > > -------------------------------------------------------------- > > > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > > > Inovis Inc. > > > > > > > > > > > > > -----Original Message----- > > > > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > > > > Sent: Wednesday, May 28, 2003 9:36 AM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: [ActiveDir] delegation of root domain admin > > > > > > > > > > > > > > > apologies if i have already posted here, but this still > > > remains on > > > > > my issue log > > > > > > > > > > would very much like to be able to get information on > > > strategies for > > > > > the delegation of site / subnet administration (on > foreest root > > > > > DC's) to child domain security principals > > > > > > > > > > Thanks > > > > > > > > > > GT > > > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
