Hi Brian,
I added the Deny permission to the "delete subtree" and "modify permissions" for
OU admin account at the OU level and this account *can still delete* the user. Any
other thoughts?
Mike Thommes
-----Original Message-----
From: Brian Small [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 08, 2003 12:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OU Delegation question
Hi Michael,
The reason the OU Admin can still delete the user object is because of
the Full Control ACE you added. When deleting an object, the operating
system first looks at the object itself to see the caller has the Delete
permission. If not, it then goes to its PARENT (in this case an OU) to
see if the caller has the Delete Subtree permission. Therefore, if you
follow your current model, you can deny permissions to the "Delete
Subtree" permission as well as the "Modify Permissions" permission to
achieve your results. You will also see a similar behavior in NTFS
permissions where users can "mysteriously" delete files that they have
as read only. If you look at the parent folder, they will have the
"Delete Subfolders and Files" permission (associated with Full Control).
I hope this helps.
All the best,
Brian Small
President
======================
Small Wonders Software
[EMAIL PROTECTED]
http://www.smallwonders.com
======================
IMPORTANT - This e-mail message (and attachments) may contain
information that is confidential to Small Wonders Software. If you are
not the intended recipient you cannot use, distribute or copy the
message or attachments. In such a case, please notify the sender by
return e-mail immediately and erase all copies of the message and
attachments. Opinions, conclusions and other information in this
message and attachments that do not relate to the official business of
Small Wonders Software are neither given nor endorsed by it.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Wednesday, October 08, 2003 11:10 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OU Delegation question
Hi Al (and Joe),
Thanks for the responses. Al, that is correct, the OU Admin can
still delete the user object. And yes, I think that is the last thing
that I want to accomplish. However, Joe's previous reply gives me cause
for concern about the Full Control issue. The bottom line is that I
don't want to restrict what the OU admins can do in their respective
OUs, except I do not want them to create a user account, nor delete an
already existing user account, nor rename the user account, nor reset
the password. We view our domain accounts as sacred; they are never to
be deleted (disabled, yes) and the creation of domain accounts is done
through a special process that is done by a single office so that the
appropriate business rules are followed.
The Delegation Wizard GUI poses a question. If you start getting
granular for a particular permission and "uncheck" the Allow box, it
would appear that the ability to do that particular operation then rests
on maybe inherited permissions or some other "gray" area. By explicitly
checking the Deny box, it becomes (at least to me) a very "black and
white" issue, since "Deny" takes precedence.
Am I missing a bigger picture here? I really am looking forward to
getting my hands on Robbie's book and the MS whitepaper on delegation!
Keep the comments coming!
Mike Thommes
-----Original Message-----
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 08, 2003 9:52 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OU Delegation question
Just so we have it straight, once you set the deny permission, they're
still
able to delete an account but not create one? Is that about it?
Is that the last of what you need to accomplish as well?
-----Original Message-----
From: Thommes, Michael M. [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 07, 2003 3:51 PM
To: Active Directory Mailing List (E-mail)
Subject: [ActiveDir] OU Delegation question
Hi All:
At least around here, Robbie's "Tuna book" has yet to hit the
shelves.
And Microsoft's whitepaper on delegation is still a month away. Other
references on delegation appear scant at best. So here's the problem
that I
have been tearing my hair out on (and I didn't have much to start with!
8-)
):
We would like to delegate *almost* all rights to the various Divisional
OUs
we have to various OU admin groups. We'll let them do anything they
want to
*except*: 1) create accounts; 2) delete accounts; 3) rename accounts;
and 4)
reset passwords. We have other groups for #4. You'd think this is a
relatively easy task. So far, my experiences show otherwise. Using the
Delegation Wizard, it would see reasonable to give the OU admin groups
the
following permissions in the respective OU:
1) Full Control, applied to this object and all child objects
2) Create/Delete User Object, applied to this object and all child
objects....then set it to Deny
3) Reset Password, applied to User Objects...then set it to Deny
4) Write Property, Write Logon Name (pre-Windows 2000)...then set it to
Deny
5) Write Property, Write Logon Name...then set it to Deny
So far, the admin groups cannot create a user account (good!); they
cannot
reset a user's password (good!); they cannot rename an account (good!);
BUT
they can *still* delete a user account (very bad!). Any help is
certainly
appreciated! Thanks.
Mike Thommes
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
