Definitely agree with Guido's parting remarks: At last, every Domain Admin is basically an Enterprise Admin (or could become one, no matter which domain in the forest - should be clear what I mean). So whatever you do, keep the members in DA restricted to the same bare-minimum possible as your EA members.
Also take a peek at the AD Delegation guide. There is discussion around the delegation of several EA capabilities if I recall correctly. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, June 25, 2004 6:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Enterprise Admin members some more 5. trigger replication of config/schema partition between DCs of different domains 6. trigger replication of domain partition to GCs of other domains 7. manage replication topology at the forest level 8. create child domains 9. add any new objects to the config container (e.g. for special applications) 10. restore any cross-domain links (such as group-memberships) in a recovery scenario 11. ability to manage all objects (e.g. users, groups etc.) in any domain 12. ability to locally logon or TS to any DC in the forest 13. managing Application Partitions there should be no service accounts that require membership in EA to do their work. Unless you have an app that perform any of the listed activities in an automated fashion, which isn't what I'd recommend to do (i.e. if you're auto-creating sites + subnets, then it would be worthwhile to delegate this to a special group and make the service account a member of this group). rgd. your approach to leave the EA group empty until required: this is an approach I definitely recommend for the Schema Admin group, as it's permissions are very limited in scope and are not required very often. Doing the same thing with EA really depends on how you currently manage AD and how willing you are to adjust some of the default security to delegate the required permissions for the most frequent of the taks listed (e.g. 1,5,6,11,12). Also realize, if you would do the latter (delegate permissions for some of the most frequent tasks where EA is required), then you're basically introducing another group with great power over your forest, which may not be as well protected as the EA itself. And if you don't delegate these tasks, then I'm afraid you'll find yourself adding a user to EA very often. Maybe too often for comfort; maybe up to a level of certain frustration... At last, every Domain Admin is basically an Enterprise Admin (or could become one, no matter which domain in the forest - should be clear what I mean). So whatever you do, keep the members in DA restricted to the same bare-minimum possible as your EA members. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Freitag, 25. Juni 2004 17:22 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Enterprise Admin members Anything that goes outside the scope of a domain 1. Authorize a DHCP server 2. Create sites 3. Create a subnet object 4. Assign subnet objects to sites Of course, the above tasks could be delegated -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 25, 2004 8:10 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Enterprise Admin members I'm after a list of tasks that can only be performed by an Enterprise Administrator and not by a domain admin in the forest root. eg Authorise a DHCP server. In general terms, what does everyone do with their Enterprise Admin membership? I'm wondering if it should have any members at all on a day-to-day basis and users only added temporarily when an Enterprise Admin task crops up, what do you all think? Also, is anyone aware of any application service accounts that require Enterprise Admin rights? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
