Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 194
  • Last Modified:

Different Admins for Different DCs (Group Policy question)

I am running a Windows 2003 (mixed mode) network, with offices in UK, USA and Germany. Within the active directory structure, (single domain) there are separate OUs for each of the sites with delegated controls. This means that a certain user at each of the locations has permissions for local admin tasks (adding users, resetting passwords etc.). At each location there are two Domain Controllers, and all six DCs appear in the built-in "Domain Controllers" OU. I want a local user at each location to have pretty much unrestricted control of DCs at their location, but not to have control of the DCs for which they are not responsible. Obviously, if the user is a member of the Domain Admins Group, they can do anything to any DC. Within the built-in "Domain Controllers" OU I have created further OUs called "US DCs", "UK DCs" and "Germany DCs" and then moved the relevant DCs into those OUs - but now I am stuck!

Is there an easy way to grant a user admin priveleges to one (or two) DCs, without having access to the others?

Thanks Guys.
0
cazzer
Asked:
cazzer
  • 3
  • 3
1 Solution
 
cfairleyCommented:
What you are trying to accomplish can only be done by creating multiple domains.  All DCs in a domain share the same information.  Matter of fact, they share the same group policy, "Default Domain Controller Policy".  Putting the DCs in separate OUs is asking for trouble.  If I'm wrong, I'm sure someone will correct me.

By the way, just to make sure I understand you correctly, what exactly do you want the local admins to do on their DC that you don't want done to the other DCs?

Thanks,
0
 
cazzerAuthor Commented:
I know that DCs share the same Policy, but as I have put extra OUs within the default domain controllers OU, I am able to apply specific policies to specific DCs. It is sort of working now, but it's not very elegant - I can't help thinking there must be a better solution. Perhaps there isn't.
0
 
cfairleyCommented:
I agree, there probably isn't a better way.  Even though you have different policies on your DCs, you could cause a conflict if your not careful.  For example, most of the settings in the security settings section of GPs apply to the domain as a whole regardless of how you might configure each DC.  A classic example is the password settings.  You cannot have a different password length for various DCs, but on the other hand, you can have event logging setup differently for each DC.  You are just going to have to be very careful in what you change.


0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
cazzerAuthor Commented:
Yes, password policies are domain-wide. I have been able to achieve what I wanted, but as you say, there could be problems down the line. I think I'll revert to standard and supply the other sites another server on which to run exchange (currently on one of the DCs), delegate exchange control, and remove the remote useres from the domain admins group.
0
 
cfairleyCommented:
Sounds like a plan to me!  I'm glad my two cents were helpful.
0
 
cazzerAuthor Commented:
Yes, Thanks cfairley. I'll leave it open for any other comments for a couple of days.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now