?
Solved

Converting domain admins to OU admins

Posted on 2011-09-14
12
Medium Priority
?
213 Views
Last Modified: 2012-05-12
Hi guys hope you are all well and can help.

We will be shrinking the number of domains from 7 to 2 domains.

We currently have domain admins I each of our 7 domains,

When we go to 2 domains, we want to limit their administrative scope, and want to know the best way to do this WITHOUT making them a domain admin in the new 2 domain setup, but at the same time, still giving them the same "domain admin" access over objects they currently have access to.

Any help greatly appreciated.
0
Comment
Question by:Simon336697
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +1
12 Comments
 
LVL 11

Assisted Solution

by:madhatter5501
madhatter5501 earned 160 total points
ID: 36540035
you could delegate the user the permissions to manage the OU?
0
 
LVL 11

Expert Comment

by:madhatter5501
ID: 36540037
0
 
LVL 70

Accepted Solution

by:
KCTS earned 1040 total points
ID: 36540123
Create an OUAdmin security group for each OU
Put the user accounts in the appropriate security group(s)

Use the delegation of control wizard to delegate control of the OU to the appropriate security group http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/

(delegating to a group - not a user - makes it easier to add/remove delegations by simply adding/removing users from the group)

0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 1

Author Comment

by:Simon336697
ID: 36540393
Thanks guys, can I clarify the following with you?

If we had this setup below:

Root domain
|______ subdomain
                    |_____ adminOU
                    |_____ Europe
                    |_____ Asia
                    |_____ NorthAmerica
                    |_____ SouthAmerica

If we created the following groups:

OUAdminEurope
OUAdminAsia
OUAdminNorthAmerica
OUAdminSouthAmerica

And placed all the above groups in the OUAdmin OU.

And then placed each admin user into the right OUAdmin group.

Then go through the delegation wizard on each of the following OUs:

Europe (delegate full control to the OUAdminEurope group)
Asia (delegate full control to the OUAdminAsia group)
NorthAmerica (delegate full control to the OUAdminNorthAmerica)
SouthAmerica (delegate full control to the OUAdminSouthAmerica)

In what location do the actual users who will be placed in these OUAdmin groups need to be?

For example, can user Bob who is a European OUAdmin, and as such added to the OUAdminEurope group, be located ANYWHERE in any OU? Or, does user Bob need to be in an OU under Europe?

The thing I'm getting confused about is the following:

If you delegate control of an OU to a group, and a user is a member of this group, how does this users group policies apply/interact with the permissions set for the group on this OU by running through the delegation of control wizard?

Any help greatly appreciated.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 800 total points
ID: 36540824
If you are delegating the control to user or group on specific OU,it is not necessary the the user or group should be placed in the same OU you can place it any where as per your requirment.

The structure which you have designed seems to be ok ,you can proceed witht the same

0
 
LVL 1

Author Comment

by:Simon336697
ID: 36540904
Hi Sandesh.
Thank you for that.

Is it true though that the users group policies will be applied to the user according to where the user is located in AD..eg.what OU?

So, if a user is located in OUA, and the OU you want user to administer is OUB, then wont the user gpos applied to OUA will be applied as well as what permissions have been applied to OUB by using the delegation of control wizard?

This is where I am getting confused.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36541034
Regarding the group policy it will be applied to the user according to where the user is located in AD
Suppose if the user is in OUA then whatever the policy is linked to OUA it will be applied to the user irrespective if the user is added to any group in any other OU.
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36541044
Ok, but do these group policies affect the FINAL result of what permissions the user gets on the OU that has had the delegation of control wizard run through it?
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 36541284
Delegating rights is giving special permission to user or group for specific purpose.E.g you may delegate specific user to rest password,create user,delete user,etc.This will not impact  with the gpo you have applied on the OU where the user or group exist the policy will be applied to user though he has special permission assigned by delegation.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 36541588
To clarify

The delegation of control wizard does not use a group policy and is not affected by any group policies

The Delegation of control wizard changes the security settings on the OU - it essentially adds accounts to the Access Control list on the OU and sets the required permissions.

The account to which you delegate does not have to be in the same OU as the OU you are delegating control of

It if far better to delegate control to a Security Group rather than a user - it makes it much simpler to manage any changes.

You can run the delegation of control wizard multiple times on the same OU - any rights are cumulative

You can modify the delegwiz.inf file used by the wizard to fine tune the delegation rights see http://support.microsoft.com/kb/308404
and http://technet.microsoft.com/en-us/library/cc772784(WS.10).aspx
0
 
LVL 1

Author Comment

by:Simon336697
ID: 36946244
Thanks so much guys sorrry about the delay.
0
 
LVL 1

Author Closing Comment

by:Simon336697
ID: 36946257
Thanks so much guys sorrry about the delay.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question