zarok
asked on
Assign Administrator Permission for a Group on 1 DC Only out of 3
Hi,
I have 2 Windows 2008 R2 DC Servers in one site in one location, which is headquarters, then another DC in another site. All on the same domain joined by a site-to-site VPN link.
I want to enable a group I have created in AD containing 2 users to have Administrative power over their DC, without them being able to mess with the other two.
Is this possible and how?
I have 2 Windows 2008 R2 DC Servers in one site in one location, which is headquarters, then another DC in another site. All on the same domain joined by a site-to-site VPN link.
I want to enable a group I have created in AD containing 2 users to have Administrative power over their DC, without them being able to mess with the other two.
Is this possible and how?
ASKER
Yeh I considered doing 2 subs when i set this all up! But every damn article these days on multiple domains under forests advises against it!
Prob is I'm pretty much finished and this goes into production next week, with the off site server being shipped to them... Kinda an after-thought, hell don't want them accessing the whole domain!! haha
Prob is I'm pretty much finished and this goes into production next week, with the off site server being shipped to them... Kinda an after-thought, hell don't want them accessing the whole domain!! haha
ASKER
I've delegated admin in Sites and Services for the group. But I'm guessing that only allows them to control Site objects under their site?
I'm sure I need to also delegate in AD somewhere?
I'm sure I need to also delegate in AD somewhere?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yeh that isn't quite the same though. That would be travelling down the path of actually 'building' and admin account for that DC. Although entirely possible, would not involve just those steps. That only gives delegation over the object in AD? So they can change 'it'
Hmm, If i have enough time tomorrow, I might configure it all, then I'll post the steps on here, as there is no information on the internet how to do it and MS certaintly dosnt support it lol
Hmm, If i have enough time tomorrow, I might configure it all, then I'll post the steps on here, as there is no information on the internet how to do it and MS certaintly dosnt support it lol
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Good point Matt, and after discussion with another Admin, he said the same thing - even with a 'custom' admin account, it would not be to hard to gain proper admin again.
Unfortunately it isn't my choice to give them such control but I'll use 'Server Operators' and 'Account Operators' for them, and good communication :)
In heinsight, yes, a RODC might have been more applicable.
Thanks for your help.
Unfortunately it isn't my choice to give them such control but I'll use 'Server Operators' and 'Account Operators' for them, and good communication :)
In heinsight, yes, a RODC might have been more applicable.
Thanks for your help.
ny.company.com, ak.company.com, eu.company.com then its's simple domain admins.. otherwise you seem to be left with delegation