-----Original Message-----
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 20, 2003 12:06 PM
To: [EMAIL PROTECTED]; Ravdal, Stig
Subject: RE: [ActiveDir] Managing Sites in Forest with Empty RootAs John already said: it's not really wise to try to delegate everything, as otherwise you're giving away the keys to the kingdom afterall... And if this is your only reason for creating that extra empty root domain, then you might as well stick to a clean single-domain-forest model: as soon as you give domain admin rights to someone else in your child domain, you've basically passed out these precious keys.
It's a simple thing for a domain admin to work himself up the tree and become Enterprise Admin - not necessarily what you'd expect, but that's the way it is. MS is finally being public about this - check out the AD Security Whitepaper that was released a while ago. It's best to keep a very small team with EA+DA rights and delegate other tasks on the OU level only.
If you still want to delegate site-administration (even in a single-domain-forest) you'll have to grant numerous permissions on various objects to make this happen - but depending on what you really want to delegate, you may only need a few. Here is a sample from the upcoming AD Delegation Whitepaper from Microsoft (only 5 more days...):
Task
Permissions Required to Perform Task
Create a Site / Add a Site
CC on cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to create obejcts of class Site)
Rename a Site
WP on the corresponding site object, cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the common-name attribute
Specify the location of a Site
WP on the corresponding site object, cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the Location attribute
Associate a Group Policy with a Site
WP on the corresponding site object, cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the GP-Link attribute
Modify Site Group Policy Options
WP on the corresponding site object, cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the GP-Options attribute
Move a Domain Controller between sites
WP on the Server object being moved to modify Common-Name attribute
DC on the object cn=Servers, cn=<Current-Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> (to delete objects of class Server)
CC on the object cn=Servers, cn=<New-Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> (to create objects of class Server)
/Guido
-----Original Message-----
From: John Reijnders [mailto:[EMAIL PROTECTED]]
Sent: Donnerstag, 20. November 2003 20:40
To: 'Ravdal, Stig '; '[EMAIL PROTECTED] '
Subject: RE: [ActiveDir] Managing Sites in Forest with Empty Root
If you want to delegate the rights to manage the stuff handled with AD S&S
you need to delegate the "manage replication topology" to the right group.
Site management is a task performed at forest level so delegating this right
means delegating the rights for the complete forest.
Thinking about it ... you could try to limit the role of creating sites to
limited number of users/groups and the give specific admins only the rights
to manage these specific objects (i.e. attaching subnets to this site).
However !!! be really conservative with the delagtion of this right. Doing
the wrong stuff can screw up your complete AD (in all domains within the
forest). I personally prefer limiting this task to a very limited amount of
people.
Cheers!
John
-----Original Message-----
From: Ravdal, Stig
To: [EMAIL PROTECTED]
Sent: 20-11-2003 18:17
Subject: [ActiveDir] Managing Sites in Forest with Empty Root
Hi all,
I'm a newbie to the forum and I think that this is the right place for
this question.
I have setup new forest using an empty forest root (first domain/tree in
forest). In the forest I have an operational domain the second domain in
the forest (and the first of three such single domain/single trees that
will reside in the forest in addition to the empty forest root).
What I would like to do is allow the first operational domain to manage
sites & services. I do not want the empty forest root to do any
administrative tasks beyond holding the "keys to the kingdom" No users
or computers will reside in the empty forest root domain.
How can I delegate the control of the Sites and Services?
Also can I delegate the control of sites and services such that each
domain/tree in the forest can do their own site management?
Thanks,
Stig
________________________________________________________________________
___
This message contains information that may be privileged or
confidential
and is the property of the Cap Gemini/Ernst & Young Group. It is
intended
only for the person to whom it is addressed. If you are not the
intended
recipient, you are not authorized to read, print, retain, copy,
disseminate, distribute, or use this message or any part thereof. If
you
receive this message in error, please notify the sender immediately and
delete all copies of this message.
________________________________________________________________________
___
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Hi
Guido,
Thanks
for the info. I am aware of the security hole so this may really boil down
to perception. The client has a requirement that two of their business
units operate with greater autonomy - to the point of being able to be spun off
entirely should that be the best for business. They frequently aquire new
companies and divest smaller organizations and that is what led to the model
of a forest of trees (single domains) with an empty forest root
(tree/domain).
As far
as the EA rights are concerned it may be possible for an admin in any tree in
the forest to elevate his/her privileges, but it is somewhat unlikely in
this organization - the clinets main business unit/company has outsourced
all administration to a very large outsourcing company and they have a
paper-based procedure for everything - quite bureaucratic really. That is
not to say that there couldn't be some disgruntled empoyee that causes trouble
down the road.
Thanks
for the response Guido, I'll also look for the
whitepapers.
Cheers,
Stig
- [ActiveDir] Managing Sites in Forest w... Ravdal, Stig
- RE: [ActiveDir] Managing Sites in... John Reijnders
- RE: [ActiveDir] Managing Sites in... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Managing Sites in... Thommes, Michael M.
- RE: [ActiveDir] Managing Sites in... Ravdal, Stig
- RE: [ActiveDir] Managing Sites in... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Managing Sites in... Ravdal, Stig
- RE: [ActiveDir] Managing Sites in... GRILLENMEIER,GUIDO (HP-Germany,ex1)