As John already said: it's not really wise to
try to delegate everything, as otherwise you're giving away the keys to the
kingdom afterall... And if this is your only reason for creating that
extra empty root domain, then you might as well stick to a clean
single-domain-forest model: as soon as you give domain admin rights to someone
else in your child domain, you've basically passed out these precious
keys. Task Permissions Required to
Perform Task Create a Site / Add a
Site CC on cn=Sites, cn=Configuration,
dc=<ForestRootDomain> (to create obejcts of class
Site) Rename a
Site WP on the corresponding site object,
cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain>
to modify the common-name attribute
Specify the location of a
Site WP on the corresponding site object,
cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain>
to modify the Location attribute
Associate a Group Policy with a
Site WP on the corresponding site object,
cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain>
to modify the GP-Link attribute Modify Site Group Policy
Options WP on the corresponding site object,
cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain>
to modify the GP-Options attribute
Move a Domain Controller between
sites WP on the Server object being moved to
modify Common-Name attribute
It's a simple thing for a domain admin to work himself up the tree
and become Enterprise Admin - not necessarily what you'd expect, but that's the
way it is. MS is finally being public about this - check out the AD
Security Whitepaper that was released a while ago. It's best to keep a
very small team with EA+DA rights and delegate other tasks on the OU level
only.
If you still want to delegate site-administration (even in a
single-domain-forest) you'll have to grant numerous permissions on various
objects to make this happen - but depending on what you really want to delegate,
you may only need a few. Here is a sample from the upcoming AD Delegation
Whitepaper from Microsoft (only 5 more days...):
DC on the object cn=Servers,
cn=<Current-Site>, cn=Sites, cn=Configuration,
dc=<forestRootDomain> (to delete objects of class
Server)
CC on the object cn=Servers, cn=<New-Site>,
cn=Sites, cn=Configuration, dc=<forestRootDomain> (to create objects
of class
Server)
/Guido
-----Original
Message-----
From: John Reijnders [mailto:[EMAIL PROTECTED]]
Sent: Donnerstag, 20. November 2003 20:40
To: 'Ravdal, Stig
'; '[EMAIL PROTECTED] '
Subject: RE: [ActiveDir] Managing Sites in
Forest with Empty Root
If you want to delegate the rights to manage the
stuff handled with AD S&S
you need to delegate the "manage replication
topology" to the right group.
Site management is a task performed at forest
level so delegating this right
means delegating the rights for the complete
forest.
Thinking about it ... you could try to limit the role of creating
sites to
limited number of users/groups and the give specific admins only the
rights
to manage these specific objects (i.e. attaching subnets to this
site).
However !!! be really conservative with the delagtion of this
right. Doing
the wrong stuff can screw up your complete AD (in all domains
within the
forest). I personally prefer limiting this task to a very limited
amount of
people.
Cheers!
John
-----Original
Message-----
From: Ravdal, Stig
To: [EMAIL PROTECTED]
Sent:
20-11-2003 18:17
Subject: [ActiveDir] Managing Sites in Forest with Empty
Root
Hi all,
I'm a newbie to the forum and I think that this
is the right place for
this question.
I have setup new forest using an
empty forest root (first domain/tree in
forest). In the forest I have an
operational domain the second domain in
the forest (and the first of three
such single domain/single trees that
will reside in the forest in addition to
the empty forest root).
What I would like to do is allow the first
operational domain to manage
sites & services. I do not want the
empty forest root to do any
administrative tasks beyond holding the "keys to
the kingdom" No users
or computers will reside in the empty forest root
domain.
How can I delegate the control of the Sites and
Services?
Also can I delegate the control of sites and services such
that each
domain/tree in the forest can do their own site
management?
Thanks,
Stig
________________________________________________________________________
___
This
message contains information that may be privileged
or
confidential
and is the property of the Cap Gemini/Ernst &
Young Group. It is
intended
only for the person to whom it is
addressed. If you are not the
intended
recipient, you are not
authorized to read, print, retain, copy,
disseminate, distribute, or
use this message or any part thereof. If
you
receive this message in
error, please notify the sender immediately and
delete all copies of
this
message.
________________________________________________________________________
___
List
info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Managing Sites in Forest with Empty Root
GRILLENMEIER,GUIDO (HP-Germany,ex1) Fri, 21 Nov 2003 11:26:10 -0800
- [ActiveDir] Managing Sites in Forest w... Ravdal, Stig
- RE: [ActiveDir] Managing Sites in... John Reijnders
- RE: [ActiveDir] Managing Sites in... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Managing Sites in... Thommes, Michael M.
- RE: [ActiveDir] Managing Sites in... Ravdal, Stig
- RE: [ActiveDir] Managing Sites in... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Managing Sites in... Ravdal, Stig
- RE: [ActiveDir] Managing Sites in... GRILLENMEIER,GUIDO (HP-Germany,ex1)
