We are global (~250,000 IDs and 150,000 contacts from New
Zealand to England to South Africa to Germany to NA and SA) and have no issues
with the control you are talking about. Even in Germany which has some of the
"tightest" restrictions on how much info others have about users we don't have
issues. We have three Admins across the world, they are all based in the US.
Everyone else has some level of delegated rights from none up to a small
group of 5 or so that have account op though all of their work is mostly done
through a provisioning system and they just use the IDs to manually make
corrections occasionally.
The
closest we had to having a problem was due to some banking laws in Europe but
the bank auditors seemed to have gotten over their issues.
In
terms of locking out enterprise admins from a domain in a forest, not going to
happen. Period. If you absolutely have to have that, you now have a multi-forest
implementation, easy decision.
If you
have more than 3-5 full admins on the domains, you need to investigate your
support structure, you are probably shooting fish in a barrel with a rocket
launcher. Full Domain Admin or even administrator rights are needed so rarely if
things are configured properly people shouldn't even have to know who the domain
admins are. I hear often that people say that running an Enterprise can't be
done with just a couple of domain admins, this is incorrect. We have three
though we are trying to get money for a fourth. That fourth is more for the
ability to spread pager coverage more and to help cover vacation time and
personnel turnover than anything because we prove daily that we can do it with
three. And actually the last 9 months I have been mostly doing Dev work for
Exchange so the team is mostly running with two people.
When I
initially took over this environment it was NT4 and we have some 60 admins and
we were a standard Windows shop where we had no stability and systems crashing
all the time. I removed admin from all but 5 people, we became stable and secure
and had 55 pissed off people. We converted to W2K and everything got even
better. I left for 6 months, came back and some how the admin rights got
distributed again and the stability had gone back down the crapper. I took all
the admins way again but this time limited to three people. We got nice and
stable and secure again and have stayed that way for several years. It took me
18 months of searching and cleaning to find all of the misconfigurations
perpetrated by all of the people who were given the rights in my absence. Most
people will just give out admin rights instead of fighting with who should get
them; I say bring your boxing gloves and your technical experts if you think you
need it.
Most
of my day I am doing things from my normal userid because most of an admin's job
is looking and troubleshooting, very little should be actively changing and a
lot of information is available as a normal user. If you have to change things
regularly to make things stay working, you have a bad design and need to work it
out once and for all. Things that do need to change regularly say for new
implementations or data updates should be delegated to lesser power IDs or
should be automated so they are done safely and with good logging.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, January 28, 2004 7:40 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Active Directory International Support
This is a question for the admins out there that work for companies with users and domains world-wide.....
We have been running Active Directory for two and a half years here at RockwellCollins on Windows 2000. We have an empty root domain and basically one large domestic domain serving around 15000 active users. We are in the middle of a project to bring our international domains up to Active Directory as well with several due to roll to Windows 2003 soon. There are seven international domains ranging from 40 users to 700 users, each in a different country. The plan is to join all the domains into this one, existing forest. The problem would be due to export compliance and some European laws still being worked, the potential need to lock Enterprise Admins out of any of the foreign domains. There currently are only two of us that are Enterprise admins due to the presence of that empty root and some good control when we moved to Active Directory. How do other companies deal with international domains in the same forest? Are we moving down the wrong road trying to consolidate into one forest?
To add to that, management is exploring the potential of a 'follow the sun' support where domain admins from all the domains would be allowed administrator access between domains, that assumes we get thru the export compliance issues that seem to be looming ahead of us.
Any thoughts or best practices?
Thanks
Mark Hocraffer
RockwellCollins
