asked on

AD migration

We are merging our child domains into one domain for our corp domain using the quest tool. My question is we have Enterprise Admins. However we need only the domain admins to be able to manage the designated OU's that they are assigned. Otherwise they can't access the Domain Controller in the site. Is there any way to accomplish this.

Govvy

AD Delegation: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21678

Mike Kline

No, you can use the delegation wizard or ACLs to restrict access to an OU; but to fully have rights for a DC you need admin rights which would give them rights to every DC.

Thanks

Mike

WellingtonIS

ASKER

So there's no way to just designate the OU per site and still have access to the domain controller?

Mike Kline

You want them to be able to fully administer the domain controller?

WellingtonIS

ASKER

I need them to be able to basically, manage AD, GPO's DNS and reboot the box if necessary

ASKER CERTIFIED SOLUTION

Mike Kline

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

WellingtonIS

ASKER

We will check into this and let you know. thanks for the suggestion.

Gastrig

For QMM what you need is to be a member of the Administrators group in the Domain (under the Built-in OU, or technically CN I think, but whatever). This will give you a single service account with management abilities in all the domains, at least as far as AD is concerned.

Or, in QMM, you can use different accounts for each domain. You will want to use separate accounts for workstation (RUM) processing, esp. when you get to the "change domain" functionality. At this point a single service account tends to create errors - not enough to stop the process, but enough to be annoying.

WellingtonIS

ASKER

My corp took away my admin rights on the domain and just gave me enough to do what I needed to do.