Solved

Different Admins for Different DCs (Group Policy question)

Posted on 2004-08-11
6
188 Views
Last Modified: 2013-12-04
I am running a Windows 2003 (mixed mode) network, with offices in UK, USA and Germany. Within the active directory structure, (single domain) there are separate OUs for each of the sites with delegated controls. This means that a certain user at each of the locations has permissions for local admin tasks (adding users, resetting passwords etc.). At each location there are two Domain Controllers, and all six DCs appear in the built-in "Domain Controllers" OU. I want a local user at each location to have pretty much unrestricted control of DCs at their location, but not to have control of the DCs for which they are not responsible. Obviously, if the user is a member of the Domain Admins Group, they can do anything to any DC. Within the built-in "Domain Controllers" OU I have created further OUs called "US DCs", "UK DCs" and "Germany DCs" and then moved the relevant DCs into those OUs - but now I am stuck!

Is there an easy way to grant a user admin priveleges to one (or two) DCs, without having access to the others?

Thanks Guys.
0
Comment
Question by:cazzer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 11

Expert Comment

by:cfairley
ID: 11772008
What you are trying to accomplish can only be done by creating multiple domains.  All DCs in a domain share the same information.  Matter of fact, they share the same group policy, "Default Domain Controller Policy".  Putting the DCs in separate OUs is asking for trouble.  If I'm wrong, I'm sure someone will correct me.

By the way, just to make sure I understand you correctly, what exactly do you want the local admins to do on their DC that you don't want done to the other DCs?

Thanks,
0
 
LVL 1

Author Comment

by:cazzer
ID: 11781295
I know that DCs share the same Policy, but as I have put extra OUs within the default domain controllers OU, I am able to apply specific policies to specific DCs. It is sort of working now, but it's not very elegant - I can't help thinking there must be a better solution. Perhaps there isn't.
0
 
LVL 11

Expert Comment

by:cfairley
ID: 11782217
I agree, there probably isn't a better way.  Even though you have different policies on your DCs, you could cause a conflict if your not careful.  For example, most of the settings in the security settings section of GPs apply to the domain as a whole regardless of how you might configure each DC.  A classic example is the password settings.  You cannot have a different password length for various DCs, but on the other hand, you can have event logging setup differently for each DC.  You are just going to have to be very careful in what you change.


0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 
LVL 1

Author Comment

by:cazzer
ID: 11782242
Yes, password policies are domain-wide. I have been able to achieve what I wanted, but as you say, there could be problems down the line. I think I'll revert to standard and supply the other sites another server on which to run exchange (currently on one of the DCs), delegate exchange control, and remove the remote useres from the domain admins group.
0
 
LVL 11

Accepted Solution

by:
cfairley earned 250 total points
ID: 11782319
Sounds like a plan to me!  I'm glad my two cents were helpful.
0
 
LVL 1

Author Comment

by:cazzer
ID: 11782405
Yes, Thanks cfairley. I'll leave it open for any other comments for a couple of days.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question