Hi All:
At least around here, Robbie's "Tuna book" has yet to hit the shelves. And
Microsoft's whitepaper on delegation is still a month away. Other references on
delegation appear scant at best. So here's the problem that I have been tearing my
hair out on (and I didn't have much to start with! 8-) ):
We would like to delegate *almost* all rights to the various Divisional OUs we have to
various OU admin groups. We'll let them do anything they want to *except*: 1) create
accounts; 2) delete accounts; 3) rename accounts; and 4) reset passwords. We have
other groups for #4. You'd think this is a relatively easy task. So far, my
experiences show otherwise. Using the Delegation Wizard, it would see reasonable to
give the OU admin groups the following permissions in the respective OU:
1) Full Control, applied to this object and all child objects
2) Create/Delete User Object, applied to this object and all child objects....then set
it to Deny
3) Reset Password, applied to User Objects...then set it to Deny
4) Write Property, Write Logon Name (pre-Windows 2000)...then set it to Deny
5) Write Property, Write Logon Name...then set it to Deny
So far, the admin groups cannot create a user account (good!); they cannot reset a
user's password (good!); they cannot rename an account (good!); BUT they can *still*
delete a user account (very bad!). Any help is certainly appreciated! Thanks.
Mike Thommes
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
