Excellent response. :o) The one thing I would add is to not be afraid to look at third party or custom written provisioning tools. AD has NO Business rules except for what some of the MS guys wanted to do. This means nothing is prevented from being put into the directory. You have three options, implement (buy or build) a system that has rules, write scripts to chase through and clean up after the fact, let people do what they want.
Many companies actually go through all three phases. They let people do whatever, get burned badly (like say you have this CEO named BobSmith and you start getting userids or machines or groups called FU-BobSmith) or other interesting things which can cause legal issues (I will let you pick the appropriate words for your region and employee tolerance level...). At that point of burning they start running scripts (or many start manually) combing the directory looking at names and cleaning those up. Then they realize they can clean up other things as well, old objects that shouldn't be there anymore, objects that never should have existed in the first place, odd permissions, etc. After a while of that and the script failing or people finally realizing, hey, this stuff shouldn't exist in the first place then people start looking at provisioning things through systems that enforce the rules up front. There are systems out there now to do this but in many cases, it isn't that hard to build your own that is specific to you. For the third party systems you spend so much time customizing you have to make the decision of should you customize something someone else made or should you just build your own? Good arguments either way. Note that you don't have to start off provisioning everything. Start with one aspect of it and slowly build it up. I think provisioning is far better than giving out native rights because you have control of your directory then. The more permissions you give out to people in the field, the more you have to worry about what things they are going to figure out that you didn't intend. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza Sent: Thursday, October 21, 2004 9:15 AM To: ActiveDir List Subject: Re: [ActiveDir] Centralized vs. decentralized administration Delegation in AD can be very very granular. Don¹t think of it as a need to decentralize administration think of it as giving those in the field the tools they need to do their jobs. I would never advocate handing out administrative privileges without sufficient reason, but I am in favor of giving folks the level of authoritative permissions they need to do what they need to do. Now, not having any knowledge of your environment, I¹d offer the suggestion that you figure out what sort of pseudo-admins you have in your organization, determine how many different types you have, and figure out exactly what sort of administrative tasks they will need to be doing to be successful. Determine, based on this list, where and what sort of delegation you need to do. Then you scope that out in a lab and try doing the work they need to do using a variety of test accounts. Don¹t forget to make sure that delegating one thing didn¹t break something else for your higher level admins! Also, can regular users do what they need to do? Ideally, develop MMC consoles specific to those roles. Finally, go back and evaluate your test results. I¹d suggest getting some of these Œfield¹ or Œsite¹ folks involved in the process to ensure that they (a) buy in to it and (b) validate what you are testing meets their needs. It¹s important to note that in AD, if you are Œoverly permissive¹ it is WAY too easy for an admin to change something ³a² that breaks something else ³p² - and then troubleshooting that is a nightmare. Do you have Exchange? Don¹t forget about that integration and how changes to AD can inadvertently affect E2K or E2K3. Explaining this to an executive sponsor or high level manager can help give you the leverage to manage the delegation in the appropriate way. Too many times folks in the field are used to being admins at some level and so claim they can't do their job without being one again. In AD, nothing is further from the truth. Lastly, change control becomes so much more important than it was in NT4. Hold GPO editing rights close to the vest and document everything you do there. Hope that helps a little! Rick On 10/20/04 7:08 PM, "Perdue David J Contr InDyne/Enterprise IT" <[EMAIL PROTECTED]> wrote: > Nathan, > > I think you made one of the best points, their own users have no AD > admin experience. If you're in a single domain, obviously something > done at one site will have a severe impact on another site. Possibly > rendering multiple sites from being able to authenticate. > > I don't know what your environment is like or the issues that you are > facing. It may be easier to use AD delegation and define what the > sites will be allowed to do: Unlock Accounts, Change Passwords, modify > some group memebership, Create Users, etc. But leave AD > Administration, GPO Management, Network Infrastructure Services, etc to the central office. > > The rub is that you will really need a coordinating between the sites > for service/support with the central office. If that doesn't work > dissatisfaction and dissention will set in. > What are you willing to let them do? > > Dave > ------------------------------------------------ > David J. Perdue > MCSE 2000, MCSE NT, MCSA, MCP+I > ------------------------------------------------ > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey > Sent: Wednesday, October 20, 2004 3:41 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Centralized vs. decentralized administration > > Anyone have a good argument against decentralized administration in a > single domain, multi site AD environment. Currently all user, > computer, group, etc admin is handled by the IT dept. Now, we need to > justify why we should NOT let users at the sites admin their own > users, computer, groups, etc. For the most part the users at the sites > that want to admin their own users have no AD admin experience. Any > suggestions would be helpful Thanks Nathan > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
