1

I work for a very large organization. While we don’t work at the corporate headquarters, my team and I are responsible for hundreds of servers as well as backups and other equipment.

  1. We are all joined to the primary company domain. All our servers are on the main domain.
  2. Our team doesn’t provision user accounts. We have no control over Active Directory and user groups.
  3. Most critical, we have no control over group policy.

We are dying here without group policy. It’s been ages since I’ve studied multi-domain forests, but this completely sounds like a point where my team needs our own sub-domain (likely with a one-way trust). Is this correct? We could then be given authority and be able to apply group policy to our equipment, etc.

Am I on the right track?

@Microsoft

15 Spice ups
2

I’m pretty sure it’s possible to delegate permissions for a specific OU to allow others control over that OU only. I’m in too small of a shop to have had to worry about it yet, but it might be worth looking into. It would be much simpler than a child domain if it does work.

2 Spice ups
3

I think you need to talk to your corporate office. If they are creating the accounts they likely do not want you to make a child domain and it also will be a lot of work to do. I think the best solution would be to delegate the need permissions for your site from the primary domain.

9 Spice ups
4

You can be granted permissions through AD granulary, You can be granted access to manage accounts on a specific OU tree.

6 Spice ups
5

Stay clear of multiple domains, they are a security nightmare. Some applications don’t even work across domains.
I work with a multinational, and it’s just one domain with security & GPOs at OU level. Ot works well.
I suggest that you talk to to the corporate people to ley you create GPOs in an OU that you own.

3 Spice ups
6

All domains in a forest have an explicit transitive two-way trust; it’s recommended not to remove the default automatically generated intra-forest trusts. Though, I honestly can’t remember at this point if its even possible to remove/modify these trusts.

What you are attempting to do is ill-advised; and likely impossible (unless one of your local staff is an Enterprise Admin). Not only would it be improper for you to “go rogue” with your own child-domain, but it would be highly unprofessional for any community remember to recommend the same. Multi-domain environments have fewer and fewer legitimate/recommended purposes. Your situation does not sound like one of them; a single-domain forest is usually best.

It has been mentioned above; requesting delegated permissions for one or more appropriate OUs (or even requesting that AD be restructured for this purpose) would be more prudent - combined with the delegation of permissions to manage group policy for the same OUs. If your domain is running 2008+, you could even ask to setup a Fine Grained Password Policy using Password Settings Objects; though, even with delegated permissions to a specified OU, I believe you would still need Domain Admin-equivalent permissions to set these up as the Password Settings Container isn’t actually in your OU.

2 Spice ups
7

I would also advise against Child domains, they are cumbersome and a pain.

There is obviously a reason you don’t have access to things, creating a child domain so you have access to things unnecessarily is pointless.

Elaborate - why are you dying without it? If you are talking about your skills or lack of in this area, build a lab, your company obvious has a reason you do not have access to the things you may wish to have access to…

1 Spice up
8

If you functional level is higher than 2008 you can actually use Fine-grained password policy to users of an OU. You can also delegate control to users outside of Domain Admins to the Password Settings Container but I’m unsure what other implications that has. I kinda doubt corporate IT would be willing to do that for security sake though.

9

Rod-IT: The problem is not from a lack of skillset in Group Policy.

10

Everyone, I think the consensus is quite clear: child domains are a bad idea (especially with newer fine grain password policies which are available starting in 2008). It sounds like the real solution is delegated permissions over an OU. This makes sense. Now to see if we can get through the red tape with corporate and make it happen… Thank you for all of your help.

11

If they for some reason won’t honor the request you could always use both Pstools and Powershell to automate a lot of configurations across all computer. You could even do a .txt file with a list of all the computers host names and pull that in when running the scripts.

3 Spice ups
12

Child domain.

It’s related to Microsoft’s Active Directory and it’s only a technical expresson that illustrates a dependent node on a hierharquical structure.

Using an actual child photo to illustrate that shows at best a poor judgement from the Spiceworks staff member that set that to Featured.

Here’s another option:

image_thumb_06DE9B49.png

Maybe not the right framing, but can you notice the difference?

As for the question itself, a child domain would provide you a good way to enforce GPO across all the structure, enforcing company wide rules whithout loosing the ability to define local and sub-domain rules.

1 Spice up
13

It you have a problem with it contact the CMs. There’s no reason to derail a good thread for that. community_managers@spiceworks.com

1 Spice up
14

I loved the picture. I thought it was absolutely hilarious.

3 Spice ups
15

Migrating to and from a child domain is no small task. My advice is if you can not work with a stand alone domain, shoot for OUs based delegation under the single domain.

16

We share a domain with our parent company and several other business groups. They make very little use of GP, but we use them extensively. It took a while, but they were able to see that as long as all work was under an OU other business groups were not impacted.

1 Spice up
17

boss was looking at me funny when he saw the child photo splashed up on my 22" external monitor…

1 Spice up
18

I completely disagree on all levels with this and suspect that your complaint comes from an apparent total lack of sense of humor.

I think the picture is perfect, personally, and feel that the Spiceworks staff would show poor judgment if they changed it :wink:

1 Spice up
19

Yes, complete sense of humour & technical bypass here.

2 Spice ups
20

Everyone seems to agree - child domains are bad.

I have first hand experience with this - my former (idiot) boss wanted a way to be able to ‘disconnect’ one of our offices quickly (in case that unit left the parent company). For some reason he was super paranoid about their local admin having access to the rest of the network.

I explained to him we could setup an admin account in AD and delegate authority to a specific OU. He decided to listen to the consultant we were talking to about upgrading from NT to 2003 at the time.

Me and the other guy in the IT department both recommended the OU approach while the consultant recommended a child domain for each city we had an office in. One parent and three child domains. Mind you, this was for a company with a total of three offices and about 300 employees at most.

My boss ended up going with the child domains over our objections. It was always a pain in the posterior. We got bought a few years later and my new boss asked “what the &^!” was up with the child domains. He completely agreed that was a horrible decision. It was very satisfying because new boss was actually very technically savvy and quickly fired the old boss.

2 Spice ups