Rick, Any further ideas? Gil? Michael Homsey Telecommunications and Industrial Physics CSIRO, Australia
-----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 17 September 2002 2:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] setting/restricting permissions on objects in OU tree Michael, Good question here, and one that I haven't run into - hence don't have an answer. 10 minutes of looking at my references didn't turn up anything. I'll keep looking, because I remember reading something about this andit's kinda bugging me now. Gil, if you're reading this - what do you know about this? Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > [EMAIL PROTECTED] > Sent: Monday, September 16, 2002 9:53 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] setting/restricting permissions on > objects in OU tree > > > Thanks Rick, > there must be something i am missing. > I can restrict the changes to the immediate OU so its > permissions cannot be changed. I can restrict the objects > created (eg nesting of OUs ) and the computer objects. > However, if I create a sub-ou, it allows me to disconnect the > inherited permissions with the check box. which privelege > turns this off? > > Michael Homsey > > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED]] > Sent: Monday, 16 September 2002 9:48 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] setting/restricting permissions on > objects in OU tree > > > Go to the advanced ACLs of the user / group that you want to > remove the ability to change permissions and remove the > 'Modify Permissions' permission at that level. > > This must be done in the Advanced mode of the Security of the > object(s) that you want to affect. > > Rick Kingslan - Microsoft MVP [Windows NT/2000] > Microsoft Certified Trainer > MCSA, MCSE+I - Windows NT / 2000 > > "Any sufficiently advanced technology > is indistinguishable from magic." > --- Arthur C. Clarke > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Sunday, September 15, 2002 6:17 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] setting/restricting permissions on > > objects in OU tree > > > > > > Dear all, > > > > I wish to be able to delegate the creation of OUs and > > specific objects in an OU tree. Giving the permission to > > create an OU allows the creator to change permissions and > > cirumvent controls on the OU subtree. > > > > If I wanted peopleto manage a certain type of object eg > > create/deleet computer accounts full control of computer accounts > > > > create delete sub OUs, but not change permissions so that > > they could create delete people objects, > > > > Whats set of permissiosn are need on the parent oU to achieve this? > > > > > > Michael Homsey > > CSIRO Australia > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
