Solved

Different Admins for Different DCs (Group Policy question)

Posted on 2004-08-11
6
185 Views
Last Modified: 2013-12-04
I am running a Windows 2003 (mixed mode) network, with offices in UK, USA and Germany. Within the active directory structure, (single domain) there are separate OUs for each of the sites with delegated controls. This means that a certain user at each of the locations has permissions for local admin tasks (adding users, resetting passwords etc.). At each location there are two Domain Controllers, and all six DCs appear in the built-in "Domain Controllers" OU. I want a local user at each location to have pretty much unrestricted control of DCs at their location, but not to have control of the DCs for which they are not responsible. Obviously, if the user is a member of the Domain Admins Group, they can do anything to any DC. Within the built-in "Domain Controllers" OU I have created further OUs called "US DCs", "UK DCs" and "Germany DCs" and then moved the relevant DCs into those OUs - but now I am stuck!

Is there an easy way to grant a user admin priveleges to one (or two) DCs, without having access to the others?

Thanks Guys.
0
Comment
Question by:cazzer
  • 3
  • 3
6 Comments
 
LVL 11

Expert Comment

by:cfairley
Comment Utility
What you are trying to accomplish can only be done by creating multiple domains.  All DCs in a domain share the same information.  Matter of fact, they share the same group policy, "Default Domain Controller Policy".  Putting the DCs in separate OUs is asking for trouble.  If I'm wrong, I'm sure someone will correct me.

By the way, just to make sure I understand you correctly, what exactly do you want the local admins to do on their DC that you don't want done to the other DCs?

Thanks,
0
 
LVL 1

Author Comment

by:cazzer
Comment Utility
I know that DCs share the same Policy, but as I have put extra OUs within the default domain controllers OU, I am able to apply specific policies to specific DCs. It is sort of working now, but it's not very elegant - I can't help thinking there must be a better solution. Perhaps there isn't.
0
 
LVL 11

Expert Comment

by:cfairley
Comment Utility
I agree, there probably isn't a better way.  Even though you have different policies on your DCs, you could cause a conflict if your not careful.  For example, most of the settings in the security settings section of GPs apply to the domain as a whole regardless of how you might configure each DC.  A classic example is the password settings.  You cannot have a different password length for various DCs, but on the other hand, you can have event logging setup differently for each DC.  You are just going to have to be very careful in what you change.


0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 1

Author Comment

by:cazzer
Comment Utility
Yes, password policies are domain-wide. I have been able to achieve what I wanted, but as you say, there could be problems down the line. I think I'll revert to standard and supply the other sites another server on which to run exchange (currently on one of the DCs), delegate exchange control, and remove the remote useres from the domain admins group.
0
 
LVL 11

Accepted Solution

by:
cfairley earned 250 total points
Comment Utility
Sounds like a plan to me!  I'm glad my two cents were helpful.
0
 
LVL 1

Author Comment

by:cazzer
Comment Utility
Yes, Thanks cfairley. I'll leave it open for any other comments for a couple of days.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now