NT 4 to 2000  migration: AD delegation help

Posted on 2004-08-29
Last Modified: 2010-04-14
Migrating a NT 4 single master domain to 2003  with /AD  as a single domain model - delegation questions:

Looks like we're finally going to upgrade from NT4 to 2000 /w active directory.

As a admin for a small branch of a much larger enterprise, I need to make sure I can keep my mystical admin powers in regards to managing local resources., but preferably, I'd like to come out ahead, as it's to much work now the way things are centralized.

Our NT enterprise is based on a Single Master domain model.  Users and global groups are kept in the master and dotted around are a dozen resource domains representing branches offices.

As an admin of a resource domain, I control the PCs and my own PDC/file server.

We will be migrating to a single domain model for windows 2000.  But, some of the staff in our head office influencing the migration maybe poorly conceptualizing this migration and are not recognizing Active Directories ability to delegate and I'm worried they may centralize things to much:
ie: as a admin of a resource domain, I must give HQ a call to add users to the domain, change groups, unlock or reset user accounts....but at least I can join PCs to the domain, and, uh..., well that's about it.  Things could get get more difficult if this isn't planned right.

I'm poorly trained in windows 2000 domain model structure myself, so I need to know how to present my case.

I want to be able to:
-create global groups (probably won't get this)
-add users to global groups (probably won't get this either)
-unlock/reset passwords
-join machines and resources to the domain
-do cool things with Active Directory like deploy MSI's and make system wide changes to workstations (instead of using VB script/WMI/perl/psexec)

Question by:Marketing_Insists
  • 3
  • 3
  • 2
  • +1
LVL 51

Accepted Solution

Netman66 earned 250 total points
ID: 11928367
In your domain model, it should be engineered with the Root of the Forest at head office.  All the resource domains should become DCs in this domain.  OUs should be used for each office and Delegation should be run to give you full priviledges to your OU.  This will allow you to do all the above as long as it is only in your OU.  You will have no rights beyond your own OU.

So this would be a single forest, single domain model.

LVL 95

Expert Comment

by:Lee W, MVP
ID: 11928586
Netman's right on.

As long as the head office creates a seperate OU for your site and delegates you as an admin of that ou, you'll have the ability to create users, groups, GPOs, reset passwords (for the users contained in the OU), just about everything you need to manage your location.  And you won't be able to touch any other OUs.

Assisted Solution

althomas101 earned 250 total points
ID: 11932961
Delegation based on OU is only related to Active Directory.  If you know Netware this is the same as NDS rights vs. File System rights.   Just because you are delegated authority over your OU, you do not gain administrative rights to your workstations and servers especially Domain Controllers.  Unless given local admin rights to your workstaions and member servers you will just be another domain user. In fact you will not even be able to Logon to your servers.  Domain controllers take this to another level since they have no local administrators group.
Now you are talking about a complex domain controller policy for each remote location that you want to delegate.  A better design is to have the remote locations a sub domain of the masters.  By the way in a single domain any administrator can elevate himself to enterprise.(security loophole)

Author Comment

ID: 11934369
There is a strong consensus where I work to strongly restrict branch admins ability to create and manage groups and users.

If branches were sub-domains, could admins have all the rights and privileges of a sub-domain administrator minus the ability to manage users?  (doesn’t makes sense, but it's my reality)
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)


Author Comment

ID: 11938233
-just verifying:
Even if I'm delegated the rights to my OU with workstations, users, etc in that OU, I may not have the necessary rights to control it as I would as an admin of a NT 4 resource domain?

The Win2k workstations/servers I have now are delegated to me via placing the privileged global group I'm a member of (MyDomain\ThisBranch Admins) in the local Administrators group of those machines.  The same can't be done with the DC?
LVL 51

Expert Comment

ID: 11938322
No.  A Domain Admin is a Domain Admin - you'll actually have more rights that a Delegated role.

As for the comments above, if you are Delegated as an Admin of your OU the next step for the powers above is to use the same quasi-admin group your're in and add them to the local admin groups as well as allow local login to the console of the server.  If they feel it necessary, they can remove the create/delete group object from your admin group, but you wouldn't be able to add any new users to any group at all.

As long as you are delegated rights correctly to the OU you will manage, you can do whatever is necessary to support your office.  As far as them worried about groups - you'll only be able to create them in your OU.  You will NOT be able to add them to any groups higher in the AD that will give them more rights than just in the OU.  They're being a little paranoid here.


Expert Comment

ID: 11952032
I have a conflict with what netman66 said; I did not say anything about making you a domain adimin, (which he is correct that trumps delegations) also just by delegating authority of an OU to a regional admin group and giving them the local admin rights to the servers in conjunction with login locally, you do not give them rights to login to a local DC and have RIGHTS.  There is no local administrators group in which to add the regional admins group to.  You have to get creative with your domain controller policies to accomplish this.
LVL 51

Expert Comment

ID: 11958196
In AD, you make them Server Operators.

Otherwise, you'll have two accounts to use: one for OU administration, one for the server administration.


Expert Comment

ID: 11973822
A better choice than Server Operators is the Account Operators group it only gives logon locally, and manage accounts rights.  However, even these limited rights allow a member of this group to manage accounts anywhere in the Domain.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office Picture Manager was included in Office 2003, 2007, and 2010, but not in Office 2013. Users had hopes that it would be in Office 2016/Office 365, but it is not. Fortunately, the same zero-cost technique that works to install it with …
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Internet Business Fax to Email Made Easy - With  eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now