Neil,
Try a re-read of the first couple of
chapters of the first part of the deployment guide book designing and deploying
directory and security services. Obviously it doesn't spell out how to do
this -it doesn't even allude to how this is done- but does emphasise when and
when not to go with the regional domain model.
I'm not disputing what anyone is saying
here -I agree. I just happen to think the regional model can be a good
one, and that if done properly works. Even from a security stand
point. The main thing with the regional design is that there's a central
group of service admins, or a true delegated model.
If you have multiple groups of service
admins it can still work, but the issue that has been raised is very real and
you probably need to implement processes and monitor against it (if you're
forced into such a design by the needs of the business or obtuse upper
management ;-). Although it does seem to be possible to implement
disparate groups of service admins if you follow the delegation whitepaper
(you'll need to improvide, but most of the info. is pertinent), which should put
you in a much stronger position from a security stand point. If you can
achieve a very small number of people who are actually members of the
builtin\Administrators group, and the rest only have delegated permissions and
privileges (and preferably very few privileges on the DCs, i.e. no logon
locally) you can achieve what you want.
Joe's been there and done
it...
--Paul
|
- [ActiveDir] Elevating privileges from DA to EA neil.ruston
- Re: [ActiveDir] Elevating privileges from DA ... Al Mulnick
- RE: [ActiveDir] Elevating privileges from DA ... Brian Desmond
- RE: [ActiveDir] Elevating privileges from DA ... joe
- RE: [ActiveDir] Elevating privileges from DA ... neil.ruston
- RE: [ActiveDir] Elevating privileges from DA ... Almeida Pinto, Jorge de
- Re: [ActiveDir] Elevating privileges from... Paul Williams
- Re: [ActiveDir] Elevating privileges ... Al Mulnick
- Re: [ActiveDir] Elevating privile... James_Day
- RE: [ActiveDir] Elevating pr... Brian Desmond
- Re: [ActiveDir] Elevating pr... Al Mulnick
- RE: [ActiveDir] Elevating pr... Grillenmeier, Guido
- Re: [ActiveDir] Elevating privileges ... Matt Hargraves
- RE: [ActiveDir] Elevating privile... joe
- RE: [ActiveDir] Elevating pr... Brian Desmond
- RE: [ActiveDir] Elevating privileges from DA ... neil.ruston
- Re: [ActiveDir] Elevating privileges from... Paul Williams