NT 4 to 2000 migration: AD delegation help

Migrating a NT 4 single master domain to 2003  with /AD  as a single domain model - delegation questions:

Looks like we're finally going to upgrade from NT4 to 2000 /w active directory.

As a admin for a small branch of a much larger enterprise, I need to make sure I can keep my mystical admin powers in regards to managing local resources., but preferably, I'd like to come out ahead, as it's to much work now the way things are centralized.

Our NT enterprise is based on a Single Master domain model.  Users and global groups are kept in the master and dotted around are a dozen resource domains representing branches offices.

As an admin of a resource domain, I control the PCs and my own PDC/file server.

We will be migrating to a single domain model for windows 2000.  But, some of the staff in our head office influencing the migration maybe poorly conceptualizing this migration and are not recognizing Active Directories ability to delegate and I'm worried they may centralize things to much:
ie: as a admin of a resource domain, I must give HQ a call to add users to the domain, change groups, unlock or reset user accounts....but at least I can join PCs to the domain, and, uh..., well that's about it.  Things could get get more difficult if this isn't planned right.

I'm poorly trained in windows 2000 domain model structure myself, so I need to know how to present my case.

I want to be able to:
-create global groups (probably won't get this)
-add users to global groups (probably won't get this either)
-unlock/reset passwords
-join machines and resources to the domain
-do cool things with Active Directory like deploy MSI's and make system wide changes to workstations (instead of using VB script/WMI/perl/psexec)

Who is Participating?
Netman66Connect With a Mentor Commented:
In your domain model, it should be engineered with the Root of the Forest at head office.  All the resource domains should become DCs in this domain.  OUs should be used for each office and Delegation should be run to give you full priviledges to your OU.  This will allow you to do all the above as long as it is only in your OU.  You will have no rights beyond your own OU.

So this would be a single forest, single domain model.

Lee W, MVPTechnology and Business Process AdvisorCommented:
Netman's right on.

As long as the head office creates a seperate OU for your site and delegates you as an admin of that ou, you'll have the ability to create users, groups, GPOs, reset passwords (for the users contained in the OU), just about everything you need to manage your location.  And you won't be able to touch any other OUs.
althomas101Connect With a Mentor Commented:
Delegation based on OU is only related to Active Directory.  If you know Netware this is the same as NDS rights vs. File System rights.   Just because you are delegated authority over your OU, you do not gain administrative rights to your workstations and servers especially Domain Controllers.  Unless given local admin rights to your workstaions and member servers you will just be another domain user. In fact you will not even be able to Logon to your servers.  Domain controllers take this to another level since they have no local administrators group.
Now you are talking about a complex domain controller policy for each remote location that you want to delegate.  A better design is to have the remote locations a sub domain of the masters.  By the way in a single domain any administrator can elevate himself to enterprise.(security loophole)
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Marketing_InsistsAuthor Commented:
There is a strong consensus where I work to strongly restrict branch admins ability to create and manage groups and users.

If branches were sub-domains, could admins have all the rights and privileges of a sub-domain administrator minus the ability to manage users?  (doesn’t makes sense, but it's my reality)
Marketing_InsistsAuthor Commented:
-just verifying:
Even if I'm delegated the rights to my OU with workstations, users, etc in that OU, I may not have the necessary rights to control it as I would as an admin of a NT 4 resource domain?

The Win2k workstations/servers I have now are delegated to me via placing the privileged global group I'm a member of (MyDomain\ThisBranch Admins) in the local Administrators group of those machines.  The same can't be done with the DC?
No.  A Domain Admin is a Domain Admin - you'll actually have more rights that a Delegated role.

As for the comments above, if you are Delegated as an Admin of your OU the next step for the powers above is to use the same quasi-admin group your're in and add them to the local admin groups as well as allow local login to the console of the server.  If they feel it necessary, they can remove the create/delete group object from your admin group, but you wouldn't be able to add any new users to any group at all.

As long as you are delegated rights correctly to the OU you will manage, you can do whatever is necessary to support your office.  As far as them worried about groups - you'll only be able to create them in your OU.  You will NOT be able to add them to any groups higher in the AD that will give them more rights than just in the OU.  They're being a little paranoid here.

I have a conflict with what netman66 said; I did not say anything about making you a domain adimin, (which he is correct that trumps delegations) also just by delegating authority of an OU to a regional admin group and giving them the local admin rights to the servers in conjunction with login locally, you do not give them rights to login to a local DC and have RIGHTS.  There is no local administrators group in which to add the regional admins group to.  You have to get creative with your domain controller policies to accomplish this.
In AD, you make them Server Operators.

Otherwise, you'll have two accounts to use: one for OU administration, one for the server administration.

A better choice than Server Operators is the Account Operators group it only gives logon locally, and manage accounts rights.  However, even these limited rights allow a member of this group to manage accounts anywhere in the Domain.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.