Solved

Active Directory Role Based Admin

Posted on 2006-06-15
6
332 Views
Last Modified: 2010-04-18
First let me set up our scenario so you will get a better picture of what I'm attempting to do.  

Recently we have restructured, both our company and our parent company.
As such, we've had to change some companies around, not to mention users.  I am now responsible for something I didn't invent and have had a heck of a time finding out the who, what, where, why, and why nots....if you know what I mean.  I 'm needing to do some changing and wanted to run this by the experts first before I go and change things.   An overview first.  Our parent company is made up of many divisions.  We're in, say division B.  The divisions are separated physically, so there isn't a problem with this top level tree with many forests.  Our division B is made up of around 20 individual companies.  We have too many chiefs....rather....we have too many hands in the cookie jar, also known as the domain admins group.....but for a good reason.  Individual companies need to handle their own sites.  We need to limit the domain admins to just one or two people in that group and keep the administrator account totally inaccessible.  

Since each company is just an OU within the domain, I'm thinking about role based administration...particularly authorization manager.  I would creat a site administrator with access to all aspects for that particular company and it's associated OUs be it computer, user, policies, etc...  Add the IT Manager or help desk personnel at that company responsible for maintaining that site and pull those people out of the domain admin group.

Does this sound like a viable alternative than to give 20 something people in each site membership to the global domain admin group?  Too many hands in the cookie jar and my next project is group policies....   really.

All comments are appreciated and will give this one 500 points just because I appreciate the extra set of minds working on this.

Regards,
TIA_IT
0
Comment
Question by:TIA_IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
ID: 16916334
i agree that limiting membership to that domain admins group is crucial

you may also want to have a look at delegation in AD
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx

0
 
LVL 7

Expert Comment

by:life_j
ID: 16916981
You can move all the computers into a particular OU and give Site admin the local admin rights on  that PCs.
or you can just give local admin rights on all the PC's.This would be really helpful for him when resolving any problems on his site users.

to make a local administrators on an OU PC's->create a new goup policy ->comp conf->windows settings-.restricted groups->administrators and the user and a memeber
0
 

Author Comment

by:TIA_IT
ID: 16917029
I checked out the delegation wizard.  I like.   I'm wondering what the pros/cons of Role Based v.s. Delegate Control are.  They seem to work similarly, but at this time I do have some sites that are still Windows 2000 which restricts me to XML vice AD for the authorization stores.    I can't raise the functional level of the domain to 2003 just as of yet.    Delegation Wizard just might do the trick.   Comments?
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16917036
Delegation of control lets you get down to the nitty gritty and gives you a stack of control as far as administration goes, this is what we use in a national network, you dont have to give admin priviliges to anyone, yet they can still perform tasks......ie, an IT member in sub.domain.com has permissions to get up into domain.com and change passwords etc, yet they cant create or delete users.....very efficient and secure way of doing things
0
 

Author Comment

by:TIA_IT
ID: 16917070
Thanks Jay Jay.  I like the delegation wizard better than the authorization manager after reading the link you provided.  I also check out some of your solutions while I was at it.  Wow, I just joined this thing and you have a bazillion points.   Here's 500 more.   Take care.   TIA
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16917080
:) delegation is a good option for what you are trying to do, i am sure it will work out for you, its actually a tool that is not used as often as it could and probably should be.

Thanks for your comments :) I have been active here for 6 months or so, bit of fun and its nice being able to help :)

all the best to you and good luck

James
0

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question