----- Original Message -----
Sent: Saturday, January 24, 2004 6:56
AM
Subject: RE: [ActiveDir] Sites and
Services Permissions
Guido,
Thanks for the corrections and for the
information. Granted, the Configuration Container is a writeable NC in
the forest, and available on all DCs. But, by DN - is anchored at the
root, yes?
-rtk
the configuration container is not in the root - it's a
writable naming context on any DC in the forest (obviously it is created
when you create the root).
one more minor correction: Child DAs do have the
permissions to create connection objects on DCs in their own domain (to
replicate from any DC in the forest - they can't add a CO to the
other DCs in the forest to have it pull the changes from their
DC...)
/Guido
John,
We have a multi-tree environment with domains below the
empty root. Our admins in the child domains can promote DCs in their
own domain, even though they have no implicitly granted rights in Sites and
Services. I know where the Configuration Container is - it's in the
root. The other tree Admins can promote/demote DCs as well. BUT!
make no mistake - I DO NOT want anyone else short of myself and the other AD
Engineer making any changes to the replication topology.
By default (and, I
honestly have no idea if I have changed this) our empty root grants the
empty root DA and the Enterprise Admin rights to Site and Services.
Other than (well, there is SYSTEM) Authenticated Users have READ
- that's about it.
What I'm saying is that I suspect that the Child
DA's don't have to have explicit permission to the Sites and Services.
System is there, and I suspect that System is actually taking care of what
the child admins need in creating the server and NTDS objects. Then,
the KCC would take over. Unless the KCC has been shut off, of
course. In this case, the EA or DA of the root is going to have to
handle it.
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP -
Active Directory
Associate Expert
Expert Zone -
www.microsoft.com/windowsxp/expertzone
WebLog -
www.msmvps.com/willhack4food
We have a multi-domain environment (empty root & 7
child domains). Our Central Office is responsible for creating and
maintaining sites, site links, subnets, connection objects, replication
schedules, . . .
We'd like to restrict all child domain admins from making
any modifications within Sites and Services. If we restrict their
access to read-only throughout all of Sites and Services, will domain admins
still be able to promote and demote DCs? Will we break
replication? Will we break anything?
Thanks.
John
This E-mail, including any attachments, may be intended solely for the
personal
and confidential use of the sender and recipient (s) named
above. This message
may include advisory, consultative and/or
deliberative material and, as such,
would be privileged and confidential
and not a public document. Any Information
in this e-mail identifying a
client of the department of Human Services is
confidential. If you have
received this e-mail in error, you must not review,
transmit, convert to
hard copy, copy, use or disseminate this e-mail or any
attachments to it
and you must delete this message. You are requested to notify
the sender
by return e-mail.
