I can think of ways to run cleanup scripts on a schedule to do this. The Universal Group is designated via a specific bit value or some other designation. The script could look for that designation and look at the creator/owner of the object and check against an authorized list. If the creator/owner is not in the list the object is deleted. This doesn't keep them from creating the group it just may help you get a handle on the situation. The way Aelita's (The company that pays my bills <G>) handles this situation is with the 'rules and roles' engine of Enterprise directory Manager.
The way the product works is on creates or modifies of an object, any policy objects (Aelita policy object) that are hung on the specific container will execute. We have a script that runs prior to the commitment to the directory that checks if the user is creating a universal group and then checks their permissions. If the user is denied creating the UG via the script and permissions (access templates) our EDM engine will not write to AD. This is how we handle it, I am sure that our competitors have similar features. Please contact me offline if you need some further explanation of our product. Kevin -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 10:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Restricting the ability to create Universal Groups Devan, Once you are in a Native mode domain and you have granted someone the ability to CREATE groups - I have no information that tells me that you can limit the TYPES of groups that one can create. This, currently, might be a situation to where you have to put a policy - with a penalty - in place to control the creation of Universal groups without change control or justification. Maybe someone else will have more light to shed on this. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Devan Pala > Sent: Thursday, September 26, 2002 9:18 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Restricting the ability to create > Universal Groups > > > Hi all, > > My question centers upon restricting OU Admins the ability to create > Universal Groups but allowing them to create Global Groups > and of course > Domain Local Groups. > > The design involves OUs based on geographical locations and > we would like > local administration to be able to create almost all objects > except for > things that are central in nature. > > My greatest concern is if they start populating UGs with domain user > accounts and other non-recommended practices then we'll have > replication > chaos through-out the forest and eventually a administration > nightmare. > > I haven't really hit the test lab with the above scenario but > from memory > the advanced ACL permissions focus upon group objects in > general. Does > anyone know whether this can be acheived? > > Thanks, > > > > > > > > > > > > > _________________________________________________________________ > Send and receive Hotmail on your mobile device: http://mobile.msn.com > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
