If someone creates an object they are creator/owner of the
object. At that point they can do anything they want with that object. To
prevent this you would need to seize ownership from them after they create the
object. Honestly I would recommend setting up a web page for them to do the
create.
Note however they won't be able to change group memberships
as that is a change done to the groups, not the users.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stuart, Cory G.
Sent: Friday, February 06, 2004 11:01 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Restricting Administrative Permissions
Hi All,
I know
that you can limit who can add workstations to a domain via Group Policy.
Is there a way that you can allow someone to create users, but not change their
passwords or group memberships, etc?
Thanks!
Cory
-----------------------------------
Cory G. Stuart
Network
Administrator
Nuclear Engineering
Division
Argonne National Laboratory
-----------------------------------
