Security Basics mailing list archives

Re: Delegating Domain Administration - Win2k3

From: "Salvador III Manaois" <badzmanaois () gmail com>
Date: Tue, 7 Oct 2008 14:01:36 +0800

Hi,

There are a number of guides/WPs on Technet pertaining to this topic,
so please allow me, if you don't mind, to post them here instead of me
ranting off my take on this topic.

For starters:

Best Practice Guide for Securing Active Directory Installations
http://technet.microsoft.com/en-us/library/cc773365.aspx

Best Practices for Delegating Active Directory Administration (Windows
Server 2003)
http://technet.microsoft.com/en-us/library/cc773318.aspx
http://www.microsoft.com/downloadS/details.aspx?familyid=631747A3-79E1-48FA-9730-DAE7C0A1D6D3&displaylang=en

MS Exchange 2003 Permissions FAW
http://technet.microsoft.com/en-us/library/aa995794(EXCHG.65).aspx

Planning FSMO Roles in AD
http://support.microsoft.com/kb/223346
http://www.petri.co.il/planning_fsmo_roles_in_ad.htm

With regards to your question on how to spread admin permissions,
always work on the concept of Least-privileged User Account (LUA) and
provide only what is needed for an admin to do his work (for example,
delegating only the requisite rights to the OUs an admin is
administering like resetting of passwords, adding objects to the OU;
think twice before giving full rights on the OU to the admin).

Bandwith may indeed be an issue for your setup if you do not plan for
a proper AD sites design, server placement and replication topology.

Regards,

...badz...
Salvador Manaois III
MCSE MCSA CEH MCITP | Enterprise/Server Admin
Bytes & Badz : http://badzmanaois.blogspot.com



On Sat, Oct 4, 2008 at 1:11 PM, WALI <hkhasgiwale () gmail com> wrote:


Hi All,

Having recently commissioned a Windows 2003 R2 based and Exchange 2k3 included single domain AD model across various 
branches of my company spread across 4 different countries, I want to write a policy/procedural document detailing 
delegation of service/administration accounts across all units. The branch units are represented by OUs within the 
single child domain - say abc.zyz.local ( parent root domain 'xyz.local' being empty).

What's the best way to go about it? How should the OU administration be spread across? What would be the exchange 
administration best practices? Who/how should the schema admin/domain admin rights be spread across? Who should have 
the FSMO roles and what should be the criteria?
We have a global 2Mbps MPLS network connecting all the DC's/exchange servers within this model, so bandwidth isn't an 
issue probably.

Any/all advise is welcome.

Current thread:

Re: Java Enterprise Safe ??, (continued)
- - - Re: Java Enterprise Safe ?? Joe (Oct 09)
    - Re: Java Enterprise Safe ?? Gleb Paharenko (Oct 09)
    - Re: Java Enterprise Safe ?? Adriel Desautels (Oct 14)
    - Re: File traces Simone (Oct 06)
    - Re: File traces Brian Johnson (Oct 06)
    - Re: File traces dongle (Oct 07)
    - Re: File traces the.soylent (Oct 06)
    - Re: File traces Frynge Customer Support (Oct 07)
- Re: DOT NET code review Adriel Desautels (Oct 03)
  - Delegating Domain Administration - Win2k3 WALI (Oct 06)
    - Re: Delegating Domain Administration - Win2k3 Salvador III Manaois (Oct 07)