Solved

Different Admins for Different DCs (Group Policy question)

Posted on 2004-08-11
6
189 Views
Last Modified: 2013-12-04
I am running a Windows 2003 (mixed mode) network, with offices in UK, USA and Germany. Within the active directory structure, (single domain) there are separate OUs for each of the sites with delegated controls. This means that a certain user at each of the locations has permissions for local admin tasks (adding users, resetting passwords etc.). At each location there are two Domain Controllers, and all six DCs appear in the built-in "Domain Controllers" OU. I want a local user at each location to have pretty much unrestricted control of DCs at their location, but not to have control of the DCs for which they are not responsible. Obviously, if the user is a member of the Domain Admins Group, they can do anything to any DC. Within the built-in "Domain Controllers" OU I have created further OUs called "US DCs", "UK DCs" and "Germany DCs" and then moved the relevant DCs into those OUs - but now I am stuck!

Is there an easy way to grant a user admin priveleges to one (or two) DCs, without having access to the others?

Thanks Guys.
0
Comment
Question by:cazzer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 11

Expert Comment

by:cfairley
ID: 11772008
What you are trying to accomplish can only be done by creating multiple domains.  All DCs in a domain share the same information.  Matter of fact, they share the same group policy, "Default Domain Controller Policy".  Putting the DCs in separate OUs is asking for trouble.  If I'm wrong, I'm sure someone will correct me.

By the way, just to make sure I understand you correctly, what exactly do you want the local admins to do on their DC that you don't want done to the other DCs?

Thanks,
0
 
LVL 1

Author Comment

by:cazzer
ID: 11781295
I know that DCs share the same Policy, but as I have put extra OUs within the default domain controllers OU, I am able to apply specific policies to specific DCs. It is sort of working now, but it's not very elegant - I can't help thinking there must be a better solution. Perhaps there isn't.
0
 
LVL 11

Expert Comment

by:cfairley
ID: 11782217
I agree, there probably isn't a better way.  Even though you have different policies on your DCs, you could cause a conflict if your not careful.  For example, most of the settings in the security settings section of GPs apply to the domain as a whole regardless of how you might configure each DC.  A classic example is the password settings.  You cannot have a different password length for various DCs, but on the other hand, you can have event logging setup differently for each DC.  You are just going to have to be very careful in what you change.


0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:cazzer
ID: 11782242
Yes, password policies are domain-wide. I have been able to achieve what I wanted, but as you say, there could be problems down the line. I think I'll revert to standard and supply the other sites another server on which to run exchange (currently on one of the DCs), delegate exchange control, and remove the remote useres from the domain admins group.
0
 
LVL 11

Accepted Solution

by:
cfairley earned 250 total points
ID: 11782319
Sounds like a plan to me!  I'm glad my two cents were helpful.
0
 
LVL 1

Author Comment

by:cazzer
ID: 11782405
Yes, Thanks cfairley. I'll leave it open for any other comments for a couple of days.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question