This was an outstanding post and I thought should be copied here…
From: ActiveDir-owner@mail.activedir.org On Behalf Of Don Hacherl
Sent: Sunday, September 07, 2008 12:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegating Start/Stop Service on DCsYears ago I worked with a “domain admin qualified” person at Microsoft who fat fingered the admin UI and deleted a container instead of the object he was intending. The container was named “North America”, and that was the night we wrote our first authoritative restore tool. (Later he said “I wondered why it was taking so long to finish.”)
A tightly constrained proxy program can be more reliable and less dangerous than a distracted human administrator.
Don
I love this part the most.. “less dangerous than a distracted human administrator”
The one thing I’ve been surprised by is that Microsoft hasn’t really made great improvements over the AD delegation model from 2000 to 2003 to 2008. Companies like NetIQ and Quest fill that role but those solutions are not cheap.
I sometimes wonder if they haven’t done much so that companies like Quest and NetIQ can thrive. Maybe a gentleman’s agreement.