Security Basics mailing list archives
Re: Delegating Domain Administration - Win2k3
From: "Salvador III Manaois" <badzmanaois () gmail com>
Date: Tue, 7 Oct 2008 14:01:36 +0800
Hi, There are a number of guides/WPs on Technet pertaining to this topic, so please allow me, if you don't mind, to post them here instead of me ranting off my take on this topic. For starters: Best Practice Guide for Securing Active Directory Installations http://technet.microsoft.com/en-us/library/cc773365.aspx Best Practices for Delegating Active Directory Administration (Windows Server 2003) http://technet.microsoft.com/en-us/library/cc773318.aspx http://www.microsoft.com/downloadS/details.aspx?familyid=631747A3-79E1-48FA-9730-DAE7C0A1D6D3&displaylang=en MS Exchange 2003 Permissions FAW http://technet.microsoft.com/en-us/library/aa995794(EXCHG.65).aspx Planning FSMO Roles in AD http://support.microsoft.com/kb/223346 http://www.petri.co.il/planning_fsmo_roles_in_ad.htm With regards to your question on how to spread admin permissions, always work on the concept of Least-privileged User Account (LUA) and provide only what is needed for an admin to do his work (for example, delegating only the requisite rights to the OUs an admin is administering like resetting of passwords, adding objects to the OU; think twice before giving full rights on the OU to the admin). Bandwith may indeed be an issue for your setup if you do not plan for a proper AD sites design, server placement and replication topology. Regards, ...badz... Salvador Manaois III MCSE MCSA CEH MCITP | Enterprise/Server Admin Bytes & Badz : http://badzmanaois.blogspot.com On Sat, Oct 4, 2008 at 1:11 PM, WALI <hkhasgiwale () gmail com> wrote:
Hi All, Having recently commissioned a Windows 2003 R2 based and Exchange 2k3 included single domain AD model across various branches of my company spread across 4 different countries, I want to write a policy/procedural document detailing delegation of service/administration accounts across all units. The branch units are represented by OUs within the single child domain - say abc.zyz.local ( parent root domain 'xyz.local' being empty). What's the best way to go about it? How should the OU administration be spread across? What would be the exchange administration best practices? Who/how should the schema admin/domain admin rights be spread across? Who should have the FSMO roles and what should be the criteria? We have a global 2Mbps MPLS network connecting all the DC's/exchange servers within this model, so bandwidth isn't an issue probably. Any/all advise is welcome.
Current thread:
- Re: Java Enterprise Safe ??, (continued)
- Re: Java Enterprise Safe ?? Joe (Oct 09)
- Re: Java Enterprise Safe ?? Gleb Paharenko (Oct 09)
- Re: Java Enterprise Safe ?? Adriel Desautels (Oct 14)
- Re: File traces Simone (Oct 06)
- Re: File traces Brian Johnson (Oct 06)
- Re: File traces dongle (Oct 07)
- Re: File traces the.soylent (Oct 06)
- Re: File traces Frynge Customer Support (Oct 07)
- Delegating Domain Administration - Win2k3 WALI (Oct 06)
- Re: Delegating Domain Administration - Win2k3 Salvador III Manaois (Oct 07)