During the writing/reviewing of the AD Delegation whitepaper there was a
considerable amount of discussion amongst those of us involved around the
logic of delegating EA rights. It has been awhile but I believe that the
general consensus came down to exactly what neil is describing. It is better
to manage these permissions by having a very small very trusted group than
trying to parse the permissions out because in the end, you will probably
end up parsing those permissions out to the same few people anyway. Allowing
folks not absolutely responsible for replication/etc to manipulate the sites
and subnets is a pretty perverted way to get your kicks, at least in my
book.
Back in the old days when I did AD ops ;o) We had three engineers and one
manager, each of whom had an admin ID in each domain of the forest. These
same folks all had normal user IDs as well and preferably the passwords were
not in sync. The proper ID was used for the task at hand, generally, the
normal userids were used a majority of the time right up until something
needed to be modified. than that there was VERY limited delegation for
such things as setting descriptions or membership on groups and setting
descriptions on server computer accounts. Most object creates was either
handled by the domain admins or the provisioning system. Workstations
created their own accounts during the scripted build process.
As an aside, with every passing DEC which is obviously fresh in my mind
right now I see delegation becoming less and less important as using
provisioning becomes more and more important. The delegation model while
cool, has too many other shortcomings which proper provisioning handles. I
am pretty vocal in my dislike of MIIS/IIFP due to its SQL requirements (I
would like black box ESE please) but during the "MVP" RoundTable at DEC even
I thought the answer to the first several questions was MIIS which gave me a
start. I don't see direct delegation dropping off the map tomorrow as a
viable protection mechanism, but as I mention above I truly see its
usefulness (and consequently, its use) in the future becoming more and more
limited. The easier the provisioning gets to configure and manage, the
faster this will occur.
Personally I would like to see more power in AD delegation and triggering
and rules but if I am honest with myself visualize IIFP/MIIS getting more
closely integrated into AD and practically running itself to provide those
functions.
I actually told Stuart Kwan of the Kwan Clan up on the stage that I
finally realized I needed to seriously start playing with MIIS. He chuckled.
But I still want ESE in the backend.
joe