Rick, One thing that you'll learn about me over time is that I'm a bit of a smart arse. Its better than being a dumb arse. Trust me - no offense was taken - I'm quite often the butt of my own jokes.
I guess I look at the consultant thing a bit differently than you do - which is fair, I've never sat on that side of the table. I was fortunate enough to work with a very, and I mean *very*, skilled team from Compaq's Professional Services group during my first design and deployment of AD. I had a bunch of fairly strong ideas on how I wanted to see things done, based on some testing and a lot of reading. They were able to disuade me and the team from making some design decisions which would have caused some serious issues down the road. I look at it like this - If I'm hiring a consultant to help with the architectural process, I'm getting a subject matter expert. I expect them to tell me when I'm wrong, and why I'm wrong, if I want to make dumb decisions. OTOH, if I'm hiring a consultant to come in as a box lifter - which we also did for the mass deployment phase - I expect them to do what they're told, because I've done the homework ahead of time, and know the process I've handed them will work and achieve the right goal. Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 29, 2003 6:43 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] delegation of root domain admin > > > Roger, > > Firstly, and most importantly - the act of telling anyone > they are wrong, IMHO - is the ultimate sign of respect and > trust in intelligence of the other person. You and I both > know that this was not an attack (nor did I construe that you > took it as such, just to be clear), but a specific way to > convey the fact that there are many views possible - all > potentially correct, and at the same time - all very incorrect. > > It all depends upon WHO is viewing or listening. > > Bottomline: I do agree with you. I would NEVER allow a Jr. > Admin to do any S&S based work. In fact, in my ownAD, I have > removed the domain admin SP, added three specific SPs > (myself, my boss and his boss - all very good with AD and > cognizant of our change process) - and pissed off 8 other > admins in the process. My response - tough. Deal with it. > You need a site or subnet? Ask. I'll have it done in 10 minutes. > > However, my ex-consultant side comes out to say once more, > that if the risks are communicated, and you sign the letter > that I stick into my 'Pearl Harbor' file, I'll assign > whatever permissions you want. Can I have that check now? > Thanks much.... Oh, and call me when it's REALLY broken - > like, tomorrow? > > >:-> > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Wednesday, May 28, 2003 5:41 PM > To: '[EMAIL PROTECTED]' > > I'm not sure anyone has told me I'm right and wrong so many > times in one sentence before. Well, maybe my wife did... > > Anyway - yes, you have a valid point, and a lot of the > rationale behind how you handle it has to come from what your > role is - whether you're hired to do a specific job or if > you're hired to architect the solution. If it's the former, > Rick is correct - if the latter then I'd push them against it. > > Roger > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, May 28, 2003 6:02 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] delegation of root domain admin > > > > > > Graham, > > > > If you need to delegate specific functional abilities to a > > non-administrative person, you will need to go to Active Directory > > Sites and Services -> Sites folder <Rt-Clk> -> Delegate -> > Select the > > user -> Check Site objects and Subnet objects -> select > what you want > > the Jr. Admin to do from there. > > > > This is just a basic overview. There is a lot more to it than this, > > but this will give you enough to begin testing to see cause > / effect. > > I'd highly recommend that you pick up a copy of "Inside Active > > Directory" which does the best job that I have seen to date of > > detailing permissions at the attribute level and how to > apply them. > > This book, with a test server, will really boost anyone's > > understanding of this elusive topic. > > > > Now - my commentary. Roger's right - and, respectfully, Roger's > > wrong. But, Roger can be both in this case. He correctly says that > > just because the client wants it, doesn't mean that he should > > necessarily get it. > > > > Unfortunately, he's wrong here, too. If you're getting paid to do a > > job (as employee or contractor) AND you have explained the risks > > involved in the decisions that your employer is making AND > they have > > agreed (get it on > > paper) to ASSUME THE RISK - then do whatever it is that > they want. I > > face this daily - I am asked to do things that are patently > wrong and > > insecure. But, I am told to do it. I ask for an e-mail > from my boss > > or said person's boss (copying my > > boss) and I do it. Why? Because I am the doer. The other > person is > > assuming the risk. > > > > Has there ever been a time when I have been ready to quit over a > > decision? Yep - but, IMHO, it's much bigger than the risk that is > > being assumed here. Yep, replication is at risk. > > Subnet objects are at risk. Life goes on. But, challenge HIPAA or > > Graham-Leach-Bliley, now we're talking risks I won't assume. > > > > Make your own decision, Graham. But, Roger does have a point. > > > > Rick Kingslan MCSE, MCSA, MCT > > Microsoft MVP - Active Directory > > Associate Expert > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > Graham Turner > > Sent: Wednesday, May 28, 2003 12:44 PM > > To: [EMAIL PROTECTED] > > > > Roger i wont diasgree with a word u say !! > > > > am trying to accommodate the administrative requirement of > the client > > > > can you remind me what permissions (group membership) are > required for > > sites / subnet administration > > > > GT > > > > ----- Original Message ----- > > From: "Roger Seielstad" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, May 28, 2003 6:34 PM > > Subject: RE: [ActiveDir] delegation of root domain admin > > > > > > > Lord no - I wouldn't trust sites and subnet changes to lower level > > > admins. One bad change and an entire site (or sites) lose > > replication. > > > > > > Also, even considering that I've worked for two fairly fast > > paced and > > > very dynamic companies, post-deployment I rarely make changes to > > > either. In > > fact, > > > I have made exactly two changes in the last 12 months, both > > supporting > > > office moves. > > > > > > Keep in mind what modifying each of these items actually > > represents - > > you're > > > affecting a number of areas of AD other than just which domain > > > controllers are used for authentication. You're affecting > > replication > > > topology, group policy application, and a number of other factors. > > > > > > Personally, I don't think any of the administration relegated to a > > > root domain within an empty root style forest should be > > done by junior > > admins. > > > Especially unsupervised. > > > > > > Roger > > > -------------------------------------------------------------- > > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > > Inovis Inc. > > > > > > > > > > -----Original Message----- > > > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > > > Sent: Wednesday, May 28, 2003 12:58 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: Re: [ActiveDir] delegation of root domain admin > > > > > > > > > > > > Roger, I thank your post reply. > > > > > > > > it would seem what i am trying to separate here is the > > admin of the > > > > sites / subnets - a generally low impact change - from > > that of the > > > > rest of the forest root. > > > > > > > > not sure of the default permissions to administer sites / > > subnets - > > > > but i would guess under default ACL's needs to be fairly highly > > > > privilged ?? > > > > > > > > i would agree with totally seperate accounts for schema admin . > > > > > > > > but not necessarily sites and subnets which is a much > > more frequent > > > > occurrence and generally assigned to a more junior > > administrator and > > > > by corollary should not be assigned a privileged account. > > > > > > > > GT > > > > > > > > ----- Original Message ----- > > > > From: "Roger Seielstad" <[EMAIL PROTECTED]> > > > > To: <[EMAIL PROTECTED]> > > > > Sent: Wednesday, May 28, 2003 5:12 PM > > > > Subject: RE: [ActiveDir] delegation of root domain admin > > > > > > > > > > > > > In general, I'd say not to do it at all, although there is no > > > > > *technical* reason it can't be done - at least none of > > > > which I which I > > > > > am aware. > > > > > > > > > > I have 3 accounts (ok, 4 if you count my Unix ID) which I use: > > > > > -General User account -Production Domain admin account -Root > > > > > Domain admin account > > > > > > > > > > It is probably a little bit of overkill to have 2 > > different admin > > > > accounts, > > > > > rather than one, but the reality is that I rarely > need to log in > > > > > as the > > > > root > > > > > admin account. Since that account also has Enterprise and > > > > Schema admin > > > > > priviledges, I find it a bit too powerful to use day to day > > > > for admin > > > > work. > > > > > > > > > > The other piece of the puzzle is that you created an > empty root > > > > > for the reason of separating administration from the > > main (I call > > > > > it > > > > > production) domain. Why undo that by creating cross domain > > > > delegation > > > > > of > > > > adminisatrative > > > > > rights? > > > > > > > > > > Roger > > > > > -------------------------------------------------------------- > > > > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > > > > Inovis Inc. > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Graham Turner [mailto:[EMAIL PROTECTED] > > > > > > Sent: Wednesday, May 28, 2003 9:36 AM > > > > > > To: [EMAIL PROTECTED] > > > > > > Subject: [ActiveDir] delegation of root domain admin > > > > > > > > > > > > > > > > > > apologies if i have already posted here, but this still > > > > remains on > > > > > > my issue log > > > > > > > > > > > > would very much like to be able to get information on > > > > strategies for > > > > > > the delegation of site / subnet administration (on > > foreest root > > > > > > DC's) to child domain security principals > > > > > > > > > > > > Thanks > > > > > > > > > > > > GT > > > > > > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > > List archive: > > > > > > http://www.mail-archive.com/activedir%> > 40mail.activedir.org/ > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
