First let me set up our scenario so you will get a better picture of what I'm attempting to do.
Recently we have restructured, both our company and our parent company.
As such, we've had to change some companies around, not to mention users. I am now responsible for something I didn't invent and have had a heck of a time finding out the who, what, where, why, and why nots....if you know what I mean. I 'm needing to do some changing and wanted to run this by the experts first before I go and change things. An overview first. Our parent company is made up of many divisions. We're in, say division B. The divisions are separated physically, so there isn't a problem with this top level tree with many forests. Our division B is made up of around 20 individual companies. We have too many chiefs....rather....we have too many hands in the cookie jar, also known as the domain admins group.....but for a good reason. Individual companies need to handle their own sites. We need to limit the domain admins to just one or two people in that group and keep the administrator account totally inaccessible.
Since each company is just an OU within the domain, I'm thinking about role based administration...particularly authorization manager. I would creat a site administrator with access to all aspects for that particular company and it's associated OUs be it computer, user, policies, etc... Add the IT Manager or help desk personnel at that company responsible for maintaining that site and pull those people out of the domain admin group.
Does this sound like a viable alternative than to give 20 something people in each site membership to the global domain admin group? Too many hands in the cookie jar and my next project is group policies.... really.
All comments are appreciated and will give this one 500 points just because I appreciate the extra set of minds working on this.