Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


NT 4 to 2000  migration: AD delegation help

Posted on 2004-08-29
Medium Priority
Last Modified: 2010-04-14
Migrating a NT 4 single master domain to 2003  with /AD  as a single domain model - delegation questions:

Looks like we're finally going to upgrade from NT4 to 2000 /w active directory.

As a admin for a small branch of a much larger enterprise, I need to make sure I can keep my mystical admin powers in regards to managing local resources., but preferably, I'd like to come out ahead, as it's to much work now the way things are centralized.

Our NT enterprise is based on a Single Master domain model.  Users and global groups are kept in the master and dotted around are a dozen resource domains representing branches offices.

As an admin of a resource domain, I control the PCs and my own PDC/file server.

We will be migrating to a single domain model for windows 2000.  But, some of the staff in our head office influencing the migration maybe poorly conceptualizing this migration and are not recognizing Active Directories ability to delegate and I'm worried they may centralize things to much:
ie: as a admin of a resource domain, I must give HQ a call to add users to the domain, change groups, unlock or reset user accounts....but at least I can join PCs to the domain, and, uh..., well that's about it.  Things could get get more difficult if this isn't planned right.

I'm poorly trained in windows 2000 domain model structure myself, so I need to know how to present my case.

I want to be able to:
-create global groups (probably won't get this)
-add users to global groups (probably won't get this either)
-unlock/reset passwords
-join machines and resources to the domain
-do cool things with Active Directory like deploy MSI's and make system wide changes to workstations (instead of using VB script/WMI/perl/psexec)

Question by:Marketing_Insists
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
LVL 51

Accepted Solution

Netman66 earned 1000 total points
ID: 11928367
In your domain model, it should be engineered with the Root of the Forest at head office.  All the resource domains should become DCs in this domain.  OUs should be used for each office and Delegation should be run to give you full priviledges to your OU.  This will allow you to do all the above as long as it is only in your OU.  You will have no rights beyond your own OU.

So this would be a single forest, single domain model.

LVL 96

Expert Comment

by:Lee W, MVP
ID: 11928586
Netman's right on.

As long as the head office creates a seperate OU for your site and delegates you as an admin of that ou, you'll have the ability to create users, groups, GPOs, reset passwords (for the users contained in the OU), just about everything you need to manage your location.  And you won't be able to touch any other OUs.

Assisted Solution

althomas101 earned 1000 total points
ID: 11932961
Delegation based on OU is only related to Active Directory.  If you know Netware this is the same as NDS rights vs. File System rights.   Just because you are delegated authority over your OU, you do not gain administrative rights to your workstations and servers especially Domain Controllers.  Unless given local admin rights to your workstaions and member servers you will just be another domain user. In fact you will not even be able to Logon to your servers.  Domain controllers take this to another level since they have no local administrators group.
Now you are talking about a complex domain controller policy for each remote location that you want to delegate.  A better design is to have the remote locations a sub domain of the masters.  By the way in a single domain any administrator can elevate himself to enterprise.(security loophole)
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.


Author Comment

ID: 11934369
There is a strong consensus where I work to strongly restrict branch admins ability to create and manage groups and users.

If branches were sub-domains, could admins have all the rights and privileges of a sub-domain administrator minus the ability to manage users?  (doesn’t makes sense, but it's my reality)

Author Comment

ID: 11938233
-just verifying:
Even if I'm delegated the rights to my OU with workstations, users, etc in that OU, I may not have the necessary rights to control it as I would as an admin of a NT 4 resource domain?

The Win2k workstations/servers I have now are delegated to me via placing the privileged global group I'm a member of (MyDomain\ThisBranch Admins) in the local Administrators group of those machines.  The same can't be done with the DC?
LVL 51

Expert Comment

ID: 11938322
No.  A Domain Admin is a Domain Admin - you'll actually have more rights that a Delegated role.

As for the comments above, if you are Delegated as an Admin of your OU the next step for the powers above is to use the same quasi-admin group your're in and add them to the local admin groups as well as allow local login to the console of the server.  If they feel it necessary, they can remove the create/delete group object from your admin group, but you wouldn't be able to add any new users to any group at all.

As long as you are delegated rights correctly to the OU you will manage, you can do whatever is necessary to support your office.  As far as them worried about groups - you'll only be able to create them in your OU.  You will NOT be able to add them to any groups higher in the AD that will give them more rights than just in the OU.  They're being a little paranoid here.


Expert Comment

ID: 11952032
I have a conflict with what netman66 said; I did not say anything about making you a domain adimin, (which he is correct that trumps delegations) also just by delegating authority of an OU to a regional admin group and giving them the local admin rights to the servers in conjunction with login locally, you do not give them rights to login to a local DC and have RIGHTS.  There is no local administrators group in which to add the regional admins group to.  You have to get creative with your domain controller policies to accomplish this.
LVL 51

Expert Comment

ID: 11958196
In AD, you make them Server Operators.

Otherwise, you'll have two accounts to use: one for OU administration, one for the server administration.


Expert Comment

ID: 11973822
A better choice than Server Operators is the Account Operators group it only gives logon locally, and manage accounts rights.  However, even these limited rights allow a member of this group to manage accounts anywhere in the Domain.

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
By default Outlook 2016 displays only one time zone in the Calendar. The following article explains how to display two time zones in one calendar view.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question