Tim,
Thanks for the tip. I'm working my way through the "Best Practices for
Delegating Active Directory Administration" and the procedure in the
appendix does not result in the right to start initiate replication.
(Probably because the "Replication Synchronization" is not even
mentioned).
If my testing is accurate, this permission does not need to be
inherited down the tree (just "This object only"), and for this to
work with W2003 AD, the permission also needs to be set on the
DomainDNS and ForestDNS partitions?
Greetz,
Bob
"Tim Springston [MSFT]" <
[email protected]> wrote in message
Editing items in AD Sites and Services makes changes to items in the Active
Directory the same as Active Directory Users and Computers does (or
ADSIEdit.msc or LDP.EXE).
I posted these steps yesterday as well, but if you have any questions or
concners please repost to let us know:
******************
To delegate the rights to initiate AD replication to a user or group, follow
the
steps below. If you have multiple domains for your forest, the delegation
would
need to be to a universal group and the all domains would need to be in
native
mode. Otherwise this can be done using a user or global security group.
******************
Keep in mind that for non-domain admins to be able to log locally on a
domain
controller they would need to be added to the default domain controllers GPO
into
the Logon Locally right.Here are steps for that: ================
To grant this right to a Windows 2000 domain user you must add that user to
the
"Log on Locally" policy container. (This procedure assumes that the domain
user
account already exists.)
1. Click Start, point to Programs, point to Administrative Tools, and select
Domain Security Policy.
2. Click Local Policies.
3. Click User Rights Assignments.
4. In the right pane, double-click Log On Locally.
5. In the Security Policy dialog box, click Add.
6. Under Select Users or Groups, type the user name in the lower pane and
click
OK.
7. In the Security Policy dialog box, click OK.
The user account now has rights to log on locally to the Domain Controller
computer.
============================================================================
=======
Here are steps for the AD replication delegation:
1) Open ADSIEDIT.MSC (installed with the support tools).
2) Go to the properties for the configuration container for the forest.
Then click
on the security folder tab so that it is in front.
3) Add the user or group you want to have the permission to replicate AD.
Then
click Allow on the "Replication Synchronization" permission.
4) Repeat steps 2-3 for the Schema and Domain containers. If you have
multiple
domains in the forest then repeat steps 2-3 on a DC in each domain to add
the
necessary permissions to each particular domain's Domain container.
--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
