?
Solved

AD migration

Posted on 2011-10-17
9
Medium Priority
?
200 Views
Last Modified: 2012-05-12
We are merging our child domains into one domain for our corp domain using the quest tool.  My question is we have Enterprise Admins.  However we need only the domain admins to be able to manage the designated OU's that they are assigned.  Otherwise they can't access the Domain Controller in the site.  Is there any way to accomplish this.
0
Comment
Question by:WellingtonIS
9 Comments
 
LVL 13

Expert Comment

by:Govvy
ID: 36979693
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36979718
No, you can use the delegation wizard or ACLs to restrict access to an OU; but to fully have rights for a DC you need admin rights which would give them rights to every DC.

Thanks

Mike
0
 

Author Comment

by:WellingtonIS
ID: 36979752
So there's no way to just designate the OU per site and still have access to the domain controller?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 36979768
You want them to be able to fully administer the domain controller?
0
 

Author Comment

by:WellingtonIS
ID: 36979796
I need them to be able to basically, manage AD, GPO's DNS and reboot the box if necessary
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 36979813
You can delegate a lot of that; you can also extend the delegation control wizard

http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html

...but to fully manage you need domain admin rights but for the tasks you listed you can delegate, GPO info here

http://technet.microsoft.com/en-us/library/cc776944(WS.10).aspx

Thanks

Mike
0
 

Author Comment

by:WellingtonIS
ID: 36980652
We will check into this and let you know.  thanks for the suggestion.
0
 
LVL 2

Expert Comment

by:Gastrig
ID: 36981676
For QMM what you need is to be a member of the Administrators group in the Domain (under the Built-in OU, or technically CN I think, but whatever).  This will give you a single service account with management abilities in all the domains, at least as far as AD is concerned.

Or, in QMM, you can use different accounts for each domain.  You will want to use separate accounts for workstation (RUM) processing, esp. when you get to the "change domain" functionality.  At this point a single service account tends to create errors - not enough to stop the process, but enough to be annoying.

0
 

Author Closing Comment

by:WellingtonIS
ID: 37176460
My corp took away my admin rights on the domain and just gave me enough to do what I needed to do.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question