Solved

Different Admins for Different DCs (Group Policy question)

Posted on 2004-08-11
6
187 Views
Last Modified: 2013-12-04
I am running a Windows 2003 (mixed mode) network, with offices in UK, USA and Germany. Within the active directory structure, (single domain) there are separate OUs for each of the sites with delegated controls. This means that a certain user at each of the locations has permissions for local admin tasks (adding users, resetting passwords etc.). At each location there are two Domain Controllers, and all six DCs appear in the built-in "Domain Controllers" OU. I want a local user at each location to have pretty much unrestricted control of DCs at their location, but not to have control of the DCs for which they are not responsible. Obviously, if the user is a member of the Domain Admins Group, they can do anything to any DC. Within the built-in "Domain Controllers" OU I have created further OUs called "US DCs", "UK DCs" and "Germany DCs" and then moved the relevant DCs into those OUs - but now I am stuck!

Is there an easy way to grant a user admin priveleges to one (or two) DCs, without having access to the others?

Thanks Guys.
0
Comment
Question by:cazzer
  • 3
  • 3
6 Comments
 
LVL 11

Expert Comment

by:cfairley
ID: 11772008
What you are trying to accomplish can only be done by creating multiple domains.  All DCs in a domain share the same information.  Matter of fact, they share the same group policy, "Default Domain Controller Policy".  Putting the DCs in separate OUs is asking for trouble.  If I'm wrong, I'm sure someone will correct me.

By the way, just to make sure I understand you correctly, what exactly do you want the local admins to do on their DC that you don't want done to the other DCs?

Thanks,
0
 
LVL 1

Author Comment

by:cazzer
ID: 11781295
I know that DCs share the same Policy, but as I have put extra OUs within the default domain controllers OU, I am able to apply specific policies to specific DCs. It is sort of working now, but it's not very elegant - I can't help thinking there must be a better solution. Perhaps there isn't.
0
 
LVL 11

Expert Comment

by:cfairley
ID: 11782217
I agree, there probably isn't a better way.  Even though you have different policies on your DCs, you could cause a conflict if your not careful.  For example, most of the settings in the security settings section of GPs apply to the domain as a whole regardless of how you might configure each DC.  A classic example is the password settings.  You cannot have a different password length for various DCs, but on the other hand, you can have event logging setup differently for each DC.  You are just going to have to be very careful in what you change.


0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 1

Author Comment

by:cazzer
ID: 11782242
Yes, password policies are domain-wide. I have been able to achieve what I wanted, but as you say, there could be problems down the line. I think I'll revert to standard and supply the other sites another server on which to run exchange (currently on one of the DCs), delegate exchange control, and remove the remote useres from the domain admins group.
0
 
LVL 11

Accepted Solution

by:
cfairley earned 250 total points
ID: 11782319
Sounds like a plan to me!  I'm glad my two cents were helpful.
0
 
LVL 1

Author Comment

by:cazzer
ID: 11782405
Yes, Thanks cfairley. I'll leave it open for any other comments for a couple of days.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question