Re: [ActiveDir] Sites and Services Permissions

[John Witasick]

Joe,   My thanks to you, and to Roger, for your responses.   Your podium point is well taken.  Unfortunately, I do not have this "one-umbrella" luxury in my environment - a domain may not function as a security boundary, but it does serve as a political boundary.  So, while I may not be able to stop the rogue admin, I'd like to make it as difficult as possible for them outside of their domain.  Any other suggestions on how to accomplish this would be greatly appreciated.   John ----- Original Message ----- From: joe To: [EMAIL PROTECTED] Sent: Thursday, January 22, 2004 10:38 PM Subject: RE: [ActiveDir] Sites and Services Permissions I'm just winging it and the answer is probably in the AD Delegation Whitepaper but I don't recall off the top of my head...   Best Practices for Delegating Active Directory Administration (2.7 MB) http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en    Best Practices for Delegating Active Directory Administration Appendices (4.2 MB) http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en     BUT... off the top of my head I would expect as long as they have CREATE/DELETE SERVER OBJECT rights in the sites are of the config container they would be able to do the promo's/demo's. Once the server object is created they will have full control of that so can create whatever they need under it (i.e. ntdsdsa objects, etc). I would test thoroughly in the lab though. Even if it is in black and white in the delegation paper you still need to test.   Now for the podium.... You do realize that domains are NOT security boundaries. A determined knowledgeable domain admin of a child domain, can own the forest if they get it in their head to do so. All domain admins of a forest should all be the same team under the same direct low level management. Anything else is, in my opinion, insecure.      joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Witasick Sent: Thursday, January 22, 2004 4:47 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Sites and Services Permissions We have a multi-domain environment (empty root & 7 child domains).  Our Central Office is responsible for creating and maintaining sites, site links, subnets, connection objects, replication schedules, . . .   We'd like to restrict all child domain admins from making any modifications within Sites and Services.  If we restrict their access to read-only throughout all of Sites and Services, will domain admins still be able to promote and demote DCs?  Will we break replication?  Will we break anything?   Thanks.   John This E-mail, including any attachments, may be intended solely for the personal and confidential use of the sender and recipient (s) named above. This message may include advisory, consultative and/or deliberative material and, as such, would be privileged and confidential and not a public document. Any Information in this e-mail identifying a client of the department of Human Services is confidential. If you have received this e-mail in error, you must not review, transmit, convert to hard copy, copy, use or disseminate this e-mail or any attachments to it and you must delete this message. You are requested to notify the sender by return e-mail. This E-mail, including any attachments, may be intended solely for the personal and confidential use of the sender and recipient (s) named above. This message may include advisory, consultative and/or deliberative material and, as such, would be privileged and confidential and not a public document. Any Information in this e-mail identifying a client of the department of Human Services is confidential. If you have received this e-mail in error, you must not review, transmit, convert to hard copy, copy, use or disseminate this e-mail or any attachments to it and you must delete this message. You are requested to notify the sender by return e-mail.