Jorge 's Quest For Knowledge!

A tip for delegation (per organization this may depend, but this should give you a hint how to do it):

• ALWAYS use separate admin accounts to perform admin tasks
• Define the admin roles in your organization
• Define all the admin tasks performed by those roles in your organization
• Create an OU for the Admin roles and the admin tasks
• Do not delegate the management of the roles and the tasks to groups or persons other than the domain admins
• Create an OU for the Admin accounts
• Do not delegate the management of the admin accounts to groups or persons other than the domain admins
• Setup admin roles represented by a security groups in AD
• Setup all kinds of tasks represented by a security groups in AD
• Give the task groups the appropriate permissions in AD and on servers through the delegation of control wizard and through GPOs (restricted groups feature)
• Make the role groups a member of the apropriate tasks
• Make the admin accounts a member of the appropriate roles (most of the time 1 admin account only has one role assigned)
• Protect the admin accounts OU, the admin roles and tasks OU

More information:

• http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
• http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en
• http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx

Jorge

-------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-------------------------------------------------------------------------------------------------