Hi Al (and Joe),
Thanks for the responses. Al, that is correct, the OU Admin can still delete the
user object. And yes, I think that is the last thing that I want to accomplish.
However, Joe's previous reply gives me cause for concern about the Full Control issue.
The bottom line is that I don't want to restrict what the OU admins can do in their
respective OUs, except I do not want them to create a user account, nor delete an
already existing user account, nor rename the user account, nor reset the password.
We view our domain accounts as sacred; they are never to be deleted (disabled, yes)
and the creation of domain accounts is done through a special process that is done by
a single office so that the appropriate business rules are followed.
The Delegation Wizard GUI poses a question. If you start getting granular for a
particular permission and "uncheck" the Allow box, it would appear that the ability to
do that particular operation then rests on maybe inherited permissions or some other
"gray" area. By explicitly checking the Deny box, it becomes (at least to me) a very
"black and white" issue, since "Deny" takes precedence.
Am I missing a bigger picture here? I really am looking forward to getting my hands
on Robbie's book and the MS whitepaper on delegation! Keep the comments coming!
Mike Thommes
-----Original Message-----
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 08, 2003 9:52 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OU Delegation question
Just so we have it straight, once you set the deny permission, they're still
able to delete an account but not create one? Is that about it?
Is that the last of what you need to accomplish as well?
-----Original Message-----
From: Thommes, Michael M. [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 07, 2003 3:51 PM
To: Active Directory Mailing List (E-mail)
Subject: [ActiveDir] OU Delegation question
Hi All:
At least around here, Robbie's "Tuna book" has yet to hit the shelves.
And Microsoft's whitepaper on delegation is still a month away. Other
references on delegation appear scant at best. So here's the problem that I
have been tearing my hair out on (and I didn't have much to start with! 8-)
):
We would like to delegate *almost* all rights to the various Divisional OUs
we have to various OU admin groups. We'll let them do anything they want to
*except*: 1) create accounts; 2) delete accounts; 3) rename accounts; and 4)
reset passwords. We have other groups for #4. You'd think this is a
relatively easy task. So far, my experiences show otherwise. Using the
Delegation Wizard, it would see reasonable to give the OU admin groups the
following permissions in the respective OU:
1) Full Control, applied to this object and all child objects
2) Create/Delete User Object, applied to this object and all child
objects....then set it to Deny
3) Reset Password, applied to User Objects...then set it to Deny
4) Write Property, Write Logon Name (pre-Windows 2000)...then set it to Deny
5) Write Property, Write Logon Name...then set it to Deny
So far, the admin groups cannot create a user account (good!); they cannot
reset a user's password (good!); they cannot rename an account (good!); BUT
they can *still* delete a user account (very bad!). Any help is certainly
appreciated! Thanks.
Mike Thommes
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
