Well, this is more of a blanket suggestion, than a solution to your problem.
After coming to find many tasks that remote admins should be able to do, but that I don't want to give them rights to do, I tend to try and centralize tools. I've created ASP driven "admin portal" which is nothing more than VB scripts to do the processes. The Remote admins are given access permission to the portal for their specific tasks, but the actual processing of the tasks is done with a "service" account with the privs, and not the user. So they can kick off the tasks, see the results, but not ever have the permissions themselves. I built in a logging interface, so I can tell when an admin did such a thing, which is much easier than parsing other logs. Replicate the site/DB around the world, and it's proven to be a very good source. I can fix add tools as needed, and not worry about older versions still floating around. I know that's not really going to help you, but with a little scripting experience, you might be able to create a front end utilizing replmon for the same thing. Jef Original Message: >From: FDiskThePC <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: [ActiveDir] Forcing Replication from a Source DC >Date: Tue, 4 Nov 2003 09:36:02 -0800 (PST) >Okay, guys, I've done quite a bit of research here, >but I need some help. I don't know about you guys, >but I find it frustrating that AD has been out for >over three years and so much of this stuff is still >undocumented! Argh! > >First problem was delegating the right for remote >admins to synchronize the domain. For those out there >that may still be searching, you need to delegate the >"Replication Synchronization" right to your Domain >Naming Context (NC) and any other NC's (Schema, >Config, etc.) that you may have. Note that if you do >not delegate this right to every NC, AD Sites & >Services will still fail because a "Replicate Now" >tries to sync every NC behind the scenes - there is no >way with this tool to sync a particular NC. Note that >ADSIEdit will probably be needed to make the >delegation. > >Okay, second problem that I still need an answer to. >I need a way to force replication from one source DC >to all my other DC's. Ah! Use replmon you say >choosing "Push Mode" and "Cross Site Boundaries". >That works great, actually, but not for my remote >admins. Come to find out, replmon doesn't work unless >the remote admin is also given the "Replicating >Directory Changes" and "Manage Replication Topology" >permission. And I am not about to do that. > >I've also looked at repadmin. It appears that some >changes have been made to this command in W2K3, but >I'd like to do this in a W2K setting. Unfortunately, >the W2K tool requires that you use actual GUIDS, but >the more important thing is that I can't figure out >how to push changes rather than pull! I did come >across one undocumented switch with repadmin. Using >repadmin /p /e /d server1.company.com forces server1 >to pull any and all changes from every other server >(transitively). > >Any advice on how to best take one DC's changes and >push them out to all other DC's would be GREATLY >appreciated. Sounds like a script to me. Thanks. > >-Rick Dayton > >__________________________________ >Do you Yahoo!? >Protect your identity with Yahoo! Mail AddressGuard >http://antispam.yahoo.com/whatsnewfree >List info : http://www.activedir.org/mail_list.htm >List FAQ : http://www.activedir.org/list_faq.htm >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
