Delegation in AD can be very very granular. Don�t think of it as a need to decentralize administration � think of it as giving those in the field the tools they need to do their jobs. I would never advocate handing out administrative privileges without sufficient reason, but I am in favor of giving folks the level of authoritative permissions they need to do what they need to do.
Now, not having any knowledge of your environment, I�d offer the suggestion that you figure out what sort of pseudo-admins you have in your organization, determine how many different types you have, and figure out exactly what sort of administrative tasks they will need to be doing to be successful. Determine, based on this list, where and what sort of delegation you need to do. Then you scope that out in a lab and try doing the work they need to do using a variety of test accounts. Don�t forget to make sure that delegating one thing didn�t break something else for your higher level admins! Also, can regular users do what they need to do? Ideally, develop MMC consoles specific to those roles. Finally, go back and evaluate your test results. I�d suggest getting some of these �field� or �site� folks involved in the process to ensure that they (a) buy in to it and (b) validate what you are testing meets their needs. It�s important to note that in AD, if you are �overly permissive� it is WAY too easy for an admin to change something �a� that breaks something else �p� - and then troubleshooting that is a nightmare. Do you have Exchange? Don�t forget about that integration and how changes to AD can inadvertently affect E2K or E2K3. Explaining this to an executive sponsor or high level manager can help give you the leverage to manage the delegation in the appropriate way. Too many times folks in the field are used to being admins at some level and so claim they can't do their job without being one again. In AD, nothing is further from the truth. Lastly, change control becomes so much more important than it was in NT4. Hold GPO editing rights close to the vest � and document everything you do there. Hope that helps a little! Rick On 10/20/04 7:08 PM, "Perdue David J Contr InDyne/Enterprise IT" <[EMAIL PROTECTED]> wrote: > Nathan, > > I think you made one of the best points, their own users have no AD admin > experience. If you're in a single domain, obviously something done at one > site will have a severe impact on another site. Possibly rendering multiple > sites from being able to authenticate. > > I don't know what your environment is like or the issues that you are > facing. It may be easier to use AD delegation and define what the sites > will be allowed to do: Unlock Accounts, Change Passwords, modify some group > memebership, Create Users, etc. But leave AD Administration, GPO > Management, Network Infrastructure Services, etc to the central office. > > The rub is that you will really need a coordinating between the sites for > service/support with the central office. If that doesn't work > dissatisfaction and dissention will set in. > What are you willing to let them do? > > Dave > ------------------------------------------------ > David J. Perdue > MCSE 2000, MCSE NT, MCSA, MCP+I > ------------------------------------------------ > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey > Sent: Wednesday, October 20, 2004 3:41 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Centralized vs. decentralized administration > > Anyone have a good argument against decentralized administration in a single > domain, multi site AD environment. Currently all user, computer, group, etc > admin is handled by the IT dept. Now, we need to justify why we should NOT > let users at the sites admin their own users, computer, groups, etc. For the > most part the users at the sites that want to admin their own users have no > AD admin experience. Any suggestions would be helpful Thanks Nathan > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
