NTDSUTIL by a remote site administrator

NTDSUTIL by a remote site administrator: Posted by Doug Fox on November 29th, 2003; A question about using NTDSUTIL by a "remote site" administrator.

Let say a Windows 2003 domain has three domain controllers (DC), one is in
New York, one is in Florida, and one is in San Jose. The DC in New York is
the "main" one being in the head office and its administrators remotely
manage the other two DCs.

Is it advisable for the Florida or San Jose site administrators to run
NTDSUTIL on their DCs provided she has domain admin or enterprise admin
credential. Is there a best practice written for this?

Any comments are appreciated.

Doug; Posted by Brian Desmond [MVP] on November 30th, 2003; Answered on win2000.active_directory. Please do not multipost.

--
--
Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us

Http://www.briandesmond.com

"Doug Fox" <dfox168@hotmail.com> wrote in message
news:ucwf8astDHA.3744@TK2MSFTNGP11.phx.gbl...; Posted by Doug Fox on November 30th, 2003; Brian;

I "reposted" the message in this newsgroup as the one posted to the
win2000.active_directory did not show up after I have waited for 15 minutes.

Even I am checking my posting at win2000.active_directory rigtht now, my
posting is not there, it just shows your response.

Brian, given this situation, please help me prevent multi-posting in future.
Your advice will be greatly appreciated.

Thanks!

"Brian Desmond [MVP]" <desmondb@payton.cps.k12.il.us> wrote in message
news:eYWQjfvtDHA.2464@TK2MSFTNGP12.phx.gbl...; Posted by Brian Desmond [MVP] on December 1st, 2003; Doug-

Not a big deal. In general, it's better to crosspost if you're going to post
to multiple groups. This is where you select multiple newsgroups in the "To"
section of your article. This way, when somebody reads the message in one
group, their newsreader will mark it as read in other groups they read.

Anyway - my question to you is "What do you want to use ntdsutil for? I only
use it for cleaning up messes in the AD..."

--
--
Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us

Http://www.briandesmond.com

"Doug Fox" <dfox168@hotmail.com> wrote in message
news:uXLHyt4tDHA.2440@TK2MSFTNGP12.phx.gbl...; Posted by Doug Fox on December 2nd, 2003; Our company has many sites. Each site has a domain controller. They are
remotely managed by "senior" administrators at the head office and is
supported by "less senior or experienced" administrators locally.

What would be the consequences if one of these "less experienced"
administrators runs NTDSUTIL using a variety of parameters or switches
without due authorization locally?

Doug

P.S. As I said earlier, I didn't mean/plan to post this message to more
than one group. Therefore, I did not use the feature that you have
suggested.

"Brian Desmond [MVP]" <desmondb@payton.cps.k12.il.us> wrote in message
news:uFRwDZGuDHA.2464@TK2MSFTNGP12.phx.gbl...; Posted by Brian Desmond [MVP] on December 2nd, 2003; Doug-

It really depends on what permissions your site admins have. Ideally, if you
just delegated control of OUs to them, it wouldn't be an issue really. If
they're in one of hte admin groups (domain, enterprise, schema), they could
potentially whack the domain bigtime.

--
--
Brian Desmond
Windows Server MVP
desmondb@payton.cps.k12.il.us

Http://www.briandesmond.com

"Doug Fox" <dfox168@hotmail.com> wrote in message
news:%23nM9yWHuDHA.2448@TK2MSFTNGP12.phx.gbl...

Similar Posts

remote shutdown (*.bat script) without administrator rights (Microsoft Windows) by matisq
401 The web site is blocked by administrator Error Message Help (Help and Support) by Andrew C.
Disable Remote Desktop for Administrator account.... (Security & Administration) by Barry
remote administrator help for home network (Working Remotely) by jesusbaby
Remote Administrator (Computers & Technology) by Alexander Scott Hamilton