RE: [ActiveDir] Sites and Services Permissions

[Rick Kingslan]

Guido,   Thanks for the corrections and for the information.  Granted, the Configuration Container is a writeable NC in the forest, and available on all DCs.  But, by DN - is anchored at the root, yes?   -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Saturday, January 24, 2004 4:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Sites and Services Permissions the configuration container is not in the root - it's a writable naming context on any DC in the forest (obviously it is created when you create the root).    one more minor correction: Child DAs do have the permissions to create connection objects on DCs in their own domain (to replicate from any DC in the forest - they can't add a CO to the other DCs in the forest to have it pull the changes from their DC...)   /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Samstag, 24. Januar 2004 00:52 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Sites and Services Permissions John,   We have a multi-tree environment with domains below the empty root.  Our admins in the child domains can promote DCs in their own domain, even though they have no implicitly granted rights in Sites and Services.  I know where the Configuration Container is - it's in the root.  The other tree Admins can promote/demote DCs as well.  BUT! make no mistake - I DO NOT want anyone else short of myself and the other AD Engineer making any changes to the replication topology.   By default (and, I honestly have no idea if I have changed this) our empty root grants the empty root DA and the Enterprise Admin rights to Site and Services.  Other than (well, there is SYSTEM) Authenticated Users have READ - that's about it.   What I'm saying is that I suspect that the Child DA's don't have to have explicit permission to the Sites and Services.  System is there, and I suspect that System is actually taking care of what the child admins need in creating the server and NTDS objects.  Then, the KCC would take over.  Unless the KCC has been shut off, of course.  In this case, the EA or DA of the root is going to have to handle it.   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Witasick Sent: Thursday, January 22, 2004 3:47 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Sites and Services Permissions We have a multi-domain environment (empty root & 7 child domains).  Our Central Office is responsible for creating and maintaining sites, site links, subnets, connection objects, replication schedules, . . .   We'd like to restrict all child domain admins from making any modifications within Sites and Services.  If we restrict their access to read-only throughout all of Sites and Services, will domain admins still be able to promote and demote DCs?  Will we break replication?  Will we break anything?   Thanks.   John This E-mail, including any attachments, may be intended solely for the personal and confidential use of the sender and recipient (s) named above. This message may include advisory, consultative and/or deliberative material and, as such, would be privileged and confidential and not a public document. Any Information in this e-mail identifying a client of the department of Human Services is confidential. If you have received this e-mail in error, you must not review, transmit, convert to hard copy, copy, use or disseminate this e-mail or any attachments to it and you must delete this message. You are requested to notify the sender by return e-mail.