 |
|
 |
|
On Mon, 4 May 2009 11:20:58 -0400, "Ace Fekay [Microsoft Certified Trainer]" <...@mvps.RemoveThisPart.org
"John McC" <...@microsoft.com...
Hi John,
The simple answer is a child domain of either your tree or the other tree,
depending on the business requirements. Designate the appropriate admins at
that location to be members of that specific Domain Admin group so they can
only administer that domain and no where else in the forest. This also makes
them part of your global org, sharing the same forest and common GAL. I
would also delegate DNS to that domain once the domain is up and running.
Run Exchange's domainprep in order for them to have mailboxes and
send/receive mail.
That is the short and sweet answer. If you need assistance with steps,
articles, etc, let us know.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
acem...@mvps.RemoveThisPart.org
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay
|
|
 |
|
 |
|
|
|
|
On Mon, 4 May 2009 16:18:29 +0000 (UTC), Meinolf Weber [MVP-DS] <...@gmx.de
Hello John,
If they should not have any permission to the main domain, you can create
a new forest tree or a child domain in the existing domain tree. For Exchange
and mailbox access in the domain without exchange installed run exchange
domainprep.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
|
|
|
|
|
|
|
|
|
On Mon, 4 May 2009 13:50:04 -0700, John McC <...@discussions.microsoft.com
Hi Meinolf,
Thanks for your reply.
Just so I am clear - you are saying a new domain tree in the existing forest
or a child domain of the existing domain are two options that would allow the
local administrators access to manage their domain and not give them any
permissions to any existing domains? A new domain is the best way to go I
think as this is a new part to the business and would likes its own identity
and namespace.
Good point that I would need to run the exchange domain prep - forgot about
that!!
Regards
John
>
|
|
|
|
|
|
|
|
|
On Mon, 4 May 2009 21:00:42 +0000 (UTC), Meinolf Weber [MVP-DS] <...@gmx.de
Hello John,
Within a new domain the domain admins can administer the complete domain,
nothing else. If you add them to the Enterprise admins, they are able to
administer the complete forest.
Domain admins:
Members of this group have full control of the domain. By default, this group
is a member of the Administrators group on all domain controllers, all domain
workstations, and all domain member servers at the time they are joined to
the domain. By default, the Administrator account is a member of this group.
Because the group has full control in the domain, add users with caution.
Enterprise admins(only appears in the forest root domain):
Members of this group have full control of all domains in the forest. By
default, this group is a member of the Administrators group on all domain
controllers in the forest. By default, the Administrator account is a member
of this group. Because this group has full control of the forest, add users
with caution.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
|
|
|
|
|
|
|
|
|
On Mon, 4 May 2009 23:22:46 +0200, "Jorge de Almeida Pinto [MVP - DS]" <...@gmail.com
if the new admins should NOT have domain admin permissions in your domain,
then either use:
(1) put them in their own OU
(2) put them in their own forest
their own domain in the same forest as yours does not help. if they know how
they can "elevate" themselves and screw up the forest! the forest is the
security boundary, not the domain
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
BLOG (WEB-BASED)--BLOG (RSS-FEEDS)--------------------------------------------------------------------- -----------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
-------------------------------------------------------------------------------- ----------
#################################################
#################################################
-------------------------------------------------------------------------------- ----------
"John McC" <...@microsoft.com...
__________ Information from ESET Smart Security, version of virus signature database 4052 (20090504) __________
The message was checked by ESET Smart Security.
http://www.eset.com
|
|
|
|
|
|
|
|
|
On Wed, 6 May 2009 19:24:05 -0400, "uSlackr" <...@reedtech.com
IMO, you are making this too complex by creating a new domain. An OU with
delegated rights is the way to do this. That way you maintain control over
the overall directory health and they can still make use of AD for their
needs. You also need less expertise at that site as well.
\\uSlackr
"Jorge de Almeida Pinto [MVP - DS]"
<...@TK2MSFTNGP05.phx.gbl...
|
|
|
|
|
|
|