Devan, Once you are in a Native mode domain and you have granted someone the ability to CREATE groups - I have no information that tells me that you can limit the TYPES of groups that one can create.
This, currently, might be a situation to where you have to put a policy - with a penalty - in place to control the creation of Universal groups without change control or justification. Maybe someone else will have more light to shed on this. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Devan Pala > Sent: Thursday, September 26, 2002 9:18 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Restricting the ability to create > Universal Groups > > > Hi all, > > My question centers upon restricting OU Admins the ability to create > Universal Groups but allowing them to create Global Groups > and of course > Domain Local Groups. > > The design involves OUs based on geographical locations and > we would like > local administration to be able to create almost all objects > except for > things that are central in nature. > > My greatest concern is if they start populating UGs with domain user > accounts and other non-recommended practices then we'll have > replication > chaos through-out the forest and eventually a administration > nightmare. > > I haven't really hit the test lab with the above scenario but > from memory > the advanced ACL permissions focus upon group objects in > general. Does > anyone know whether this can be acheived? > > Thanks, > > > > > > > > > > > > > _________________________________________________________________ > Send and receive Hotmail on your mobile device: http://mobile.msn.com > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
