Re: Administrative rights on specified domain controller

I ran a corporate forest of about 400 domain controllers globally distributed in about every Time Zone in the world. This was all run by 3 domain admins in one city in the USA. Physical location really doesn't come into this, it is all about if you want to be secure or not. If you feel you really need to let others muck with a DC, more than likely you are allowing to much to be done from a DC. DCs should be very special machines doing at most domain auth and name res. If you don't have money to have multiple machines, just keep that in mind when people talk to you about security, it isn't a case where you get to be cheap and be secure generally. You have to balance it to what makes sense for you. As Jorge said though, if you give someone rights to modify a DC, be honest about it and make them a domain or enterprise admin because if they have any sense they can quickly attain that status.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Ilya wrote:
Many DC are in another towns, and i want to server operators in this town can install/remove programs (hotfix fro Windows and other), can create/delete service...

"myweb" wrote:

Hello ILYA,

Which rights should they get? Maybe than it is easier to help you with a solution without Admin rights.

Best regards

myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.



Hi

I have domain with many DC, i want to grant some user administrative
rights only on specified DC, not for entire domain. I have read
KB240267 ("Administrators cannot be restricted in Windows 2000" -
http://support.microsoft.com/kb/240267). It's impossible for Win200,
and what about Win2003?

Thanks



.

Relevant Pages