NT 4 to 2000  migration: AD delegation help

Posted on 2004-08-29
Last Modified: 2010-04-14
Migrating a NT 4 single master domain to 2003  with /AD  as a single domain model - delegation questions:

Looks like we're finally going to upgrade from NT4 to 2000 /w active directory.

As a admin for a small branch of a much larger enterprise, I need to make sure I can keep my mystical admin powers in regards to managing local resources., but preferably, I'd like to come out ahead, as it's to much work now the way things are centralized.

Our NT enterprise is based on a Single Master domain model.  Users and global groups are kept in the master and dotted around are a dozen resource domains representing branches offices.

As an admin of a resource domain, I control the PCs and my own PDC/file server.

We will be migrating to a single domain model for windows 2000.  But, some of the staff in our head office influencing the migration maybe poorly conceptualizing this migration and are not recognizing Active Directories ability to delegate and I'm worried they may centralize things to much:
ie: as a admin of a resource domain, I must give HQ a call to add users to the domain, change groups, unlock or reset user accounts....but at least I can join PCs to the domain, and, uh..., well that's about it.  Things could get get more difficult if this isn't planned right.

I'm poorly trained in windows 2000 domain model structure myself, so I need to know how to present my case.

I want to be able to:
-create global groups (probably won't get this)
-add users to global groups (probably won't get this either)
-unlock/reset passwords
-join machines and resources to the domain
-do cool things with Active Directory like deploy MSI's and make system wide changes to workstations (instead of using VB script/WMI/perl/psexec)

Question by:Marketing_Insists
  • 3
  • 3
  • 2
  • +1
LVL 51

Accepted Solution

Netman66 earned 250 total points
ID: 11928367
In your domain model, it should be engineered with the Root of the Forest at head office.  All the resource domains should become DCs in this domain.  OUs should be used for each office and Delegation should be run to give you full priviledges to your OU.  This will allow you to do all the above as long as it is only in your OU.  You will have no rights beyond your own OU.

So this would be a single forest, single domain model.

LVL 95

Expert Comment

by:Lee W, MVP
ID: 11928586
Netman's right on.

As long as the head office creates a seperate OU for your site and delegates you as an admin of that ou, you'll have the ability to create users, groups, GPOs, reset passwords (for the users contained in the OU), just about everything you need to manage your location.  And you won't be able to touch any other OUs.

Assisted Solution

althomas101 earned 250 total points
ID: 11932961
Delegation based on OU is only related to Active Directory.  If you know Netware this is the same as NDS rights vs. File System rights.   Just because you are delegated authority over your OU, you do not gain administrative rights to your workstations and servers especially Domain Controllers.  Unless given local admin rights to your workstaions and member servers you will just be another domain user. In fact you will not even be able to Logon to your servers.  Domain controllers take this to another level since they have no local administrators group.
Now you are talking about a complex domain controller policy for each remote location that you want to delegate.  A better design is to have the remote locations a sub domain of the masters.  By the way in a single domain any administrator can elevate himself to enterprise.(security loophole)

Author Comment

ID: 11934369
There is a strong consensus where I work to strongly restrict branch admins ability to create and manage groups and users.

If branches were sub-domains, could admins have all the rights and privileges of a sub-domain administrator minus the ability to manage users?  (doesn’t makes sense, but it's my reality)
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails


Author Comment

ID: 11938233
-just verifying:
Even if I'm delegated the rights to my OU with workstations, users, etc in that OU, I may not have the necessary rights to control it as I would as an admin of a NT 4 resource domain?

The Win2k workstations/servers I have now are delegated to me via placing the privileged global group I'm a member of (MyDomain\ThisBranch Admins) in the local Administrators group of those machines.  The same can't be done with the DC?
LVL 51

Expert Comment

ID: 11938322
No.  A Domain Admin is a Domain Admin - you'll actually have more rights that a Delegated role.

As for the comments above, if you are Delegated as an Admin of your OU the next step for the powers above is to use the same quasi-admin group your're in and add them to the local admin groups as well as allow local login to the console of the server.  If they feel it necessary, they can remove the create/delete group object from your admin group, but you wouldn't be able to add any new users to any group at all.

As long as you are delegated rights correctly to the OU you will manage, you can do whatever is necessary to support your office.  As far as them worried about groups - you'll only be able to create them in your OU.  You will NOT be able to add them to any groups higher in the AD that will give them more rights than just in the OU.  They're being a little paranoid here.


Expert Comment

ID: 11952032
I have a conflict with what netman66 said; I did not say anything about making you a domain adimin, (which he is correct that trumps delegations) also just by delegating authority of an OU to a regional admin group and giving them the local admin rights to the servers in conjunction with login locally, you do not give them rights to login to a local DC and have RIGHTS.  There is no local administrators group in which to add the regional admins group to.  You have to get creative with your domain controller policies to accomplish this.
LVL 51

Expert Comment

ID: 11958196
In AD, you make them Server Operators.

Otherwise, you'll have two accounts to use: one for OU administration, one for the server administration.


Expert Comment

ID: 11973822
A better choice than Server Operators is the Account Operators group it only gives logon locally, and manage accounts rights.  However, even these limited rights allow a member of this group to manage accounts anywhere in the Domain.

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now