The debate on this topic seems to rage on. Russ, the issue is one of risk. How much control or access are you willing to give folks on your DCs?
This is the same discussion that joe and I have had on more than a couple of occasions. Me, I'm a bit more willing to delegate out authority to do just what you're asking. However, joe's viewpoint and opinion on this subject is just as valid. Joe's point is this: IF you delegate permissions to someone other than your most trusted and controlled elements (meaning that Central management team of two or three), then it's only a matter of time before they are into things that they aren't supposed to be. It might not be a matter of maliciousness, but then - it just might. Anytime you are giving folks access, you are giving them the opportunity to take control away from you. Directly to your questions: Start with the Delegation whitepaper. Sanjay did a great job on this whitepaper. http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa- 9730-dae7c0a1d6d3&DisplayLang=en Can what you are asking be done? Yes. Not all of it easily or even recommended from my perspective, not to mention joe's. Read Sanjay's white paper, and choose the appropriate section(s). It's 95% prescriptive guidance. -rtk -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Saturday, March 26, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegation of permissions We're having some political discussions as to whether or not we can allow our site administrators access to DNS, DHCP and the ability to create GPOs within their perspective OU ONLY. Is this possible? Today since they aren't domain admins, they cannot logon to their local DC (which is fine). However, they want to make DNS and DHCP changes to THEIR location only. Is this possible? DNS and DHCP are running on their domain controllers. What about GPOs? Can we somehow allow them to create GPOs that will ONLY be able to be linked to their perspective OU? Thanks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/