NT 4 to 2000 migration: AD delegation help
Posted on 2004-08-29
Migrating a NT 4 single master domain to 2003 with /AD as a single domain model - delegation questions:
Looks like we're finally going to upgrade from NT4 to 2000 /w active directory.
As a admin for a small branch of a much larger enterprise, I need to make sure I can keep my mystical admin powers in regards to managing local resources., but preferably, I'd like to come out ahead, as it's to much work now the way things are centralized.
Our NT enterprise is based on a Single Master domain model. Users and global groups are kept in the master and dotted around are a dozen resource domains representing branches offices.
As an admin of a resource domain, I control the PCs and my own PDC/file server.
We will be migrating to a single domain model for windows 2000. But, some of the staff in our head office influencing the migration maybe poorly conceptualizing this migration and are not recognizing Active Directories ability to delegate and I'm worried they may centralize things to much:
ie: as a admin of a resource domain, I must give HQ a call to add users to the domain, change groups, unlock or reset user accounts....but at least I can join PCs to the domain, and, uh..., well that's about it. Things could get get more difficult if this isn't planned right.
I'm poorly trained in windows 2000 domain model structure myself, so I need to know how to present my case.
I want to be able to:
-create global groups (probably won't get this)
-add users to global groups (probably won't get this either)
-join machines and resources to the domain
-do cool things with Active Directory like deploy MSI's and make system wide changes to workstations (instead of using VB script/WMI/perl/psexec)