New Organizational Unit for a new remote office.

[Guest]

Hi All

We are a single domain environment and we want to have a setup a remote
office under an individual Organizational Unit with it's own administrators,
domain controllers and e-mail servers.
Can someone please lead me to any documentations which state the minimum
setup required if we want to delegate their own administrators to
administrate their own Organizational Unit ONLY ?
i.e. Preperations and setup requirements.

Thanks
Peter

 

[Paul Bergson]

You will not be able to have administrators that can maintain their DC
within the same Domain. They could have sub-set of tasks but ALL dc's
within a domain are pretty much the same so if they can modify one they will
be able to modify all. You should be able to make some restrictions within
Exchange but again there will be issues.

It sounds like you should consider a seperate domain.

--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Hi Paul

Yes, I understand that a seperate domain or a sub-domain would be much
better to archieve but for some reasons, OU is a MUST in my situation.
Therefore I would like to get the most out of it and limit the rights of the
OU Admin as much as I can. Hopefully someone can give me more guide on this.

Thanks
Peter

 

[Paul Bergson]

Take a look at the following link it should still apply to 2003

http://www.microsoft.com/technet/pr...chnologies/activedirectory/plan/addeladm.mspx

2003
http://www.microsoft.com/technet/pr...ogies/activedirectory/stepbystep/ctrlwiz.mspx

--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jorge de Almeida Pinto [MVP - DS]]

office under an individual Organizational Unit with it's own
impossible to acchieve when it concerns the DCs. You cannot delegate
administration of one single DC. Either you administer ALL DCs or you don't
DCs should be administered by domain admins ONLY!

Additional domains in a forest do not give additional protection when admins
are made child domain admins.

to answer your question you need to know WHAT you want to
delegate.....examples are:
* password resets
* Account unlocks
* computer joins (how to make sure every computer is unique and has not
already been used by other admin)
* creation of groups (how to make sure every computer is unique and has not
already been used by other admin)
* creation of users with/without mailboxes (how to make sure every computer
is unique and has not already been used by other admin)
* Assign mailboxes to existing users
etc
etc
etc

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Paul Bergson]

Hunh???

Are you trying to say that a child domain administrator has full Enterprise
admin rights?

--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Jorge de Almeida Pinto [MVP - DS]"

 

[Jorge de Almeida Pinto [MVP - DS]]

I'm not going to explain how to, but the message here is:

EVERY DOMAIN ADMIN IN THE FOREST (AND THUS EVERY DOMAIN IN THE FOREST) MUST
BE TRUSTED!!!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

Hunh???

Are you trying to say that a child domain administrator has full
Enterprise admin rights?

--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Jorge de Almeida Pinto [MVP - DS]"

impossible to acchieve when it concerns the DCs. You cannot delegate
administration of one single DC. Either you administer ALL DCs or you
don't
DCs should be administered by domain admins ONLY!

Additional domains in a forest do not give additional protection when
admins are made child domain admins.

to answer your question you need to know WHAT you want to
delegate.....examples are:
* password resets
* Account unlocks
* computer joins (how to make sure every computer is unique and has not
already been used by other admin)
* creation of groups (how to make sure every computer is unique and has
not already been used by other admin)
* creation of users with/without mailboxes (how to make sure every
computer is unique and has not already been used by other admin)
* Assign mailboxes to existing users
etc
etc
etc

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Paul Bergson]

If you are stating that an intelligent domain admin can figure out how to
elevate his privelges I don't think that is a good reason. If you have an
untrustworthy admin, those privleges need to be revoked and someone found
who can do their job as directed.

Unclear on the capitalization and exclamation point piece of your
conversation.


--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Jorge de Almeida Pinto [MVP - DS]"

I'm not going to explain how to, but the message here is:

EVERY DOMAIN ADMIN IN THE FOREST (AND THUS EVERY DOMAIN IN THE FOREST)
MUST BE TRUSTED!!!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

Hunh???

Are you trying to say that a child domain administrator has full
Enterprise admin rights?

--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Jorge de Almeida Pinto [MVP - DS]"

office under an individual Organizational Unit with it's own
administrators,
domain controllers and e-mail servers.

impossible to acchieve when it concerns the DCs. You cannot delegate
administration of one single DC. Either you administer ALL DCs or you
don't
DCs should be administered by domain admins ONLY!

Additional domains in a forest do not give additional protection when
admins are made child domain admins.

to answer your question you need to know WHAT you want to
delegate.....examples are:
* password resets
* Account unlocks
* computer joins (how to make sure every computer is unique and has not
already been used by other admin)
* creation of groups (how to make sure every computer is unique and has
not already been used by other admin)
* creation of users with/without mailboxes (how to make sure every
computer is unique and has not already been used by other admin)
* Assign mailboxes to existing users
etc
etc
etc

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Hi All

We are a single domain environment and we want to have a setup a remote
office under an individual Organizational Unit with it's own
administrators,
domain controllers and e-mail servers.
Can someone please lead me to any documentations which state the
minimum
setup required if we want to delegate their own administrators to
administrate their own Organizational Unit ONLY ?
i.e. Preperations and setup requirements.

Thanks
Peter

 

[Jorge de Almeida Pinto [MVP - DS]]

If you are stating that an intelligent domain admin can figure out how to

elevate his privelges

yes, they can.... besides that...everyone with physical access to a DC

Unclear on the capitalization and exclamation point piece of your
conversation.

just making a point....

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

If you are stating that an intelligent domain admin can figure out how to
elevate his privelges I don't think that is a good reason. If you have an
untrustworthy admin, those privleges need to be revoked and someone found
who can do their job as directed.

Unclear on the capitalization and exclamation point piece of your
conversation.


--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Jorge de Almeida Pinto [MVP - DS]"

I'm not going to explain how to, but the message here is:

EVERY DOMAIN ADMIN IN THE FOREST (AND THUS EVERY DOMAIN IN THE FOREST)
MUST BE TRUSTED!!!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

Hunh???

Are you trying to say that a child domain administrator has full
Enterprise admin rights?

--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Jorge de Almeida Pinto [MVP - DS]"
office under an individual Organizational Unit with it's own
administrators,
domain controllers and e-mail servers.

impossible to acchieve when it concerns the DCs. You cannot delegate
administration of one single DC. Either you administer ALL DCs or you
don't
DCs should be administered by domain admins ONLY!

Additional domains in a forest do not give additional protection when
admins are made child domain admins.

to answer your question you need to know WHAT you want to
delegate.....examples are:
* password resets
* Account unlocks
* computer joins (how to make sure every computer is unique and has not
already been used by other admin)
* creation of groups (how to make sure every computer is unique and has
not already been used by other admin)
* creation of users with/without mailboxes (how to make sure every
computer is unique and has not already been used by other admin)
* Assign mailboxes to existing users
etc
etc
etc

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Hi All

We are a single domain environment and we want to have a setup a
remote
office under an individual Organizational Unit with it's own
administrators,
domain controllers and e-mail servers.
Can someone please lead me to any documentations which state the
minimum
setup required if we want to delegate their own administrators to
administrate their own Organizational Unit ONLY ?
i.e. Preperations and setup requirements.

Thanks
Peter

 

[Paul Bergson]

You are way beyond my level of expertise, so don't misunderstand me. I just
think that (Yes I agree you are correct on elevation is available for a
intelligent user) you don't want to create a whole bunch of forests for this
type of layout.



--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Jorge de Almeida Pinto [MVP - DS]"

If you are stating that an intelligent domain admin can figure out how to
elevate his privelges

yes, they can.... besides that...everyone with physical access to a DC

Unclear on the capitalization and exclamation point piece of your
conversation.

just making a point....

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

If you are stating that an intelligent domain admin can figure out how to
elevate his privelges I don't think that is a good reason. If you have
an untrustworthy admin, those privleges need to be revoked and someone
found who can do their job as directed.

Unclear on the capitalization and exclamation point piece of your
conversation.


--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Jorge de Almeida Pinto [MVP - DS]"

I'm not going to explain how to, but the message here is:

EVERY DOMAIN ADMIN IN THE FOREST (AND THUS EVERY DOMAIN IN THE FOREST)
MUST BE TRUSTED!!!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Hunh???

Are you trying to say that a child domain administrator has full
Enterprise admin rights?

--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Jorge de Almeida Pinto [MVP - DS]"
message office under an individual Organizational Unit with it's own
administrators,
domain controllers and e-mail servers.

impossible to acchieve when it concerns the DCs. You cannot delegate
administration of one single DC. Either you administer ALL DCs or you
don't
DCs should be administered by domain admins ONLY!

Additional domains in a forest do not give additional protection when
admins are made child domain admins.

to answer your question you need to know WHAT you want to
delegate.....examples are:
* password resets
* Account unlocks
* computer joins (how to make sure every computer is unique and has
not already been used by other admin)
* creation of groups (how to make sure every computer is unique and
has not already been used by other admin)
* creation of users with/without mailboxes (how to make sure every
computer is unique and has not already been used by other admin)
* Assign mailboxes to existing users
etc
etc
etc

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Hi All

We are a single domain environment and we want to have a setup a
remote
office under an individual Organizational Unit with it's own
administrators,
domain controllers and e-mail servers.
Can someone please lead me to any documentations which state the
minimum
setup required if we want to delegate their own administrators to
administrate their own Organizational Unit ONLY ?
i.e. Preperations and setup requirements.

Thanks
Peter