Hi all, My question centers upon restricting OU Admins the ability to create Universal Groups but allowing them to create Global Groups and of course Domain Local Groups.
The design involves OUs based on geographical locations and we would like local administration to be able to create almost all objects except for things that are central in nature. My greatest concern is if they start populating UGs with domain user accounts and other non-recommended practices then we'll have replication chaos through-out the forest and eventually a administration nightmare. I haven't really hit the test lab with the above scenario but from memory the advanced ACL permissions focus upon group objects in general. Does anyone know whether this can be acheived? Thanks, _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
