You don't want to go this way, they can sidestep your delegation by rewriting permissions on the objects, that is part of the FC part of it... Additionally if someone has FC for OU's/Containers they can set up new OU/Containers and make any perms they want under those.
You should figure out exactly what rights these folks need down to the last one and delegate those specifically. Cart Blanche FC this and all children will get you in a bad place if the people ever figure out what they have. Also should the admins be able to expire or unexpire users? What about disabling them or reactivating them from a disabled state? What exactly do you want them to be able to do. Line by line. That is the way to attack it. Most likely you will grant a couple of property sets and then maybe FC to say computers or so... joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, October 07, 2003 3:51 PM To: Active Directory Mailing List (E-mail) Hi All: At least around here, Robbie's "Tuna book" has yet to hit the shelves. And Microsoft's whitepaper on delegation is still a month away. Other references on delegation appear scant at best. So here's the problem that I have been tearing my hair out on (and I didn't have much to start with! 8-) ): We would like to delegate *almost* all rights to the various Divisional OUs we have to various OU admin groups. We'll let them do anything they want to *except*: 1) create accounts; 2) delete accounts; 3) rename accounts; and 4) reset passwords. We have other groups for #4. You'd think this is a relatively easy task. So far, my experiences show otherwise. Using the Delegation Wizard, it would see reasonable to give the OU admin groups the following permissions in the respective OU: 1) Full Control, applied to this object and all child objects 2) Create/Delete User Object, applied to this object and all child objects....then set it to Deny 3) Reset Password, applied to User Objects...then set it to Deny 4) Write Property, Write Logon Name (pre-Windows 2000)...then set it to Deny 5) Write Property, Write Logon Name...then set it to Deny So far, the admin groups cannot create a user account (good!); they cannot reset a user's password (good!); they cannot rename an account (good!); BUT they can *still* delete a user account (very bad!). Any help is certainly appreciated! Thanks. Mike Thommes List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
