Administration of delegation

We have 15 comprehensive schools to which we need to delegate control through the SEP Manager Console.

Each school has it's own Active Directory parent OU. There are two ways of delegating control to the schools' administrators:-

1. Import the relevant parent OUs into the Default domain in SEPM console. Create Limited Admins in Default domain. Grant Limited Admins access to relevant child OUs.

2. Create one domain per school. Import relevant child OUs into domain. Create Limited Admin in school's domain.

There are different problems in administration that arise with either solution:-

1. Locking down a several hundred OUs 15 times is not practical, is time consuming, and would require monitoring in case new OUs are created.

2. Policies are not inherited from the Default domain to the other domains. 15 additional sets of policies would have to be created. If any organisation-wide policy change had to be made, it would have to be made 16 times.

The solutions to both issues involve inheritance, as I see it:-

1. Enable inheritance for permissions on groups/imported OUs, maybe even have the option (should not be mandatory) of importing security rights from the AD when you import the OUs. Setting access rights for Limited Administrators would therefore be unnecessary. Maybe security rights could just be read from the Domain Controllers rather than importing them, to save space and improve performance on the SEP database.

2. Enable inheritance for policies between domains. The Super Administrators could then propagate from the Default domain any changes that need to be applied to policies in all domains. It would also speed up the set-up of the policies, saving us having to set identical policy settings for 16 different domains.

We are currently implementing option 2 as it requires far less set-up time, and ongoing administration time.
Implementing inheritance would save a lot of time and make administration much easier.

Regards,
Al.