E
Edwyn
We have a single Windows 2000 domain with 10 sites worldwide,
according the Branch Office model. Some of these bigger sides do have
there own local administrators. We don't want that the account
Administrator is used by everybody and we don't want the local
administrators in the group Domain Admins, the idea is that we all use
our own account with restricted rights for daily operations and the
Administrator account is save and put away. This way nobody can alter
the domain by excident.
This is what we did so far in our test domain;
To give every local administrator rights to manage his part of the AD
and his servers we've create a group Site Administartors. In this
group we've added the local administrators e.g. countryadmin. In Users
and Computers we've create OU's per site and gave the counrtyadmin
with Delagation of Control all rights in his OU. Next we've add the
Site Administrators to the group Account Operations, so he is able to
create/move/delete users and groups etc. The counrtyadmins are added
to the security tab in Terminal Services and the group Site
Administrators is added to Local Administrators on workstations and
member servers.
But the problems happen with the DC's. No local admins, so a
counrtyadmin can't run run even simple tasks like diskkeeper etc. and
we do have DC's with multiple tasks, like DNS, WINS, DHCP, mail server
and file server.
Any idea's? Does anyone know of a whitepaper or any document about
delecated administrators?
according the Branch Office model. Some of these bigger sides do have
there own local administrators. We don't want that the account
Administrator is used by everybody and we don't want the local
administrators in the group Domain Admins, the idea is that we all use
our own account with restricted rights for daily operations and the
Administrator account is save and put away. This way nobody can alter
the domain by excident.
This is what we did so far in our test domain;
To give every local administrator rights to manage his part of the AD
and his servers we've create a group Site Administartors. In this
group we've added the local administrators e.g. countryadmin. In Users
and Computers we've create OU's per site and gave the counrtyadmin
with Delagation of Control all rights in his OU. Next we've add the
Site Administrators to the group Account Operations, so he is able to
create/move/delete users and groups etc. The counrtyadmins are added
to the security tab in Terminal Services and the group Site
Administrators is added to Local Administrators on workstations and
member servers.
But the problems happen with the DC's. No local admins, so a
counrtyadmin can't run run even simple tasks like diskkeeper etc. and
we do have DC's with multiple tasks, like DNS, WINS, DHCP, mail server
and file server.
Any idea's? Does anyone know of a whitepaper or any document about
delecated administrators?