Brian, And other such oddities, such as the ability to 'force' down through the structure of NTFS files and folders a new ACE for a Security Principal that has no permissions at all, and in fact - is denied access in other conceivable ways.
Yeah, I like that feature in Security Explorer... ;o) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Small Sent: Wednesday, October 08, 2003 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU Delegation question Hi Michael, The reason the OU Admin can still delete the user object is because of the Full Control ACE you added. When deleting an object, the operating system first looks at the object itself to see the caller has the Delete permission. If not, it then goes to its PARENT (in this case an OU) to see if the caller has the Delete Subtree permission. Therefore, if you follow your current model, you can deny permissions to the "Delete Subtree" permission as well as the "Modify Permissions" permission to achieve your results. You will also see a similar behavior in NTFS permissions where users can "mysteriously" delete files that they have as read only. If you look at the parent folder, they will have the "Delete Subfolders and Files" permission (associated with Full Control). I hope this helps. All the best, Brian Small President ====================== Small Wonders Software [EMAIL PROTECTED] http://www.smallwonders.com ====================== IMPORTANT - This e-mail message (and attachments) may contain information that is confidential to Small Wonders Software. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return e-mail immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Small Wonders Software are neither given nor endorsed by it. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, October 08, 2003 11:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU Delegation question Hi Al (and Joe), Thanks for the responses. Al, that is correct, the OU Admin can still delete the user object. And yes, I think that is the last thing that I want to accomplish. However, Joe's previous reply gives me cause for concern about the Full Control issue. The bottom line is that I don't want to restrict what the OU admins can do in their respective OUs, except I do not want them to create a user account, nor delete an already existing user account, nor rename the user account, nor reset the password. We view our domain accounts as sacred; they are never to be deleted (disabled, yes) and the creation of domain accounts is done through a special process that is done by a single office so that the appropriate business rules are followed. The Delegation Wizard GUI poses a question. If you start getting granular for a particular permission and "uncheck" the Allow box, it would appear that the ability to do that particular operation then rests on maybe inherited permissions or some other "gray" area. By explicitly checking the Deny box, it becomes (at least to me) a very "black and white" issue, since "Deny" takes precedence. Am I missing a bigger picture here? I really am looking forward to getting my hands on Robbie's book and the MS whitepaper on delegation! Keep the comments coming! Mike Thommes -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 9:52 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU Delegation question Just so we have it straight, once you set the deny permission, they're still able to delete an account but not create one? Is that about it? Is that the last of what you need to accomplish as well? -----Original Message----- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 3:51 PM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] OU Delegation question Hi All: At least around here, Robbie's "Tuna book" has yet to hit the shelves. And Microsoft's whitepaper on delegation is still a month away. Other references on delegation appear scant at best. So here's the problem that I have been tearing my hair out on (and I didn't have much to start with! 8-) ): We would like to delegate *almost* all rights to the various Divisional OUs we have to various OU admin groups. We'll let them do anything they want to *except*: 1) create accounts; 2) delete accounts; 3) rename accounts; and 4) reset passwords. We have other groups for #4. You'd think this is a relatively easy task. So far, my experiences show otherwise. Using the Delegation Wizard, it would see reasonable to give the OU admin groups the following permissions in the respective OU: 1) Full Control, applied to this object and all child objects 2) Create/Delete User Object, applied to this object and all child objects....then set it to Deny 3) Reset Password, applied to User Objects...then set it to Deny 4) Write Property, Write Logon Name (pre-Windows 2000)...then set it to Deny 5) Write Property, Write Logon Name...then set it to Deny So far, the admin groups cannot create a user account (good!); they cannot reset a user's password (good!); they cannot rename an account (good!); BUT they can *still* delete a user account (very bad!). Any help is certainly appreciated! Thanks. Mike Thommes List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
