> however this is managements call.
and what do you do if your management tells you to shoot
you in your foot? I'd certainly
talk to your management and ask the rational behind their demand. Ideally
no user should be a member of the builtin Server Operators group of the domain
at all (no problem with Server OPs on member servers). There is a reason
why members of this group (and many other built-in groups) are protected by the
AdminSDholder process => they are very sensitive accounts so that normal
delegation task (such as resetting PW etc.) should not be granted on these
accounts. Ofcourse you can change this "protection" behaviour in AD, but this
doesn't make any sense unless you are willing to risk your company's
assets.
So you better try to find what their overall goal is, then
we can help you figure out the best way to grant the correct permissions
in a way that will work well with the delegation concept of
AD.
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Freitag, 2. September 2005 08:34
To: [email protected]
Subject: RE: [ActiveDir] OU permissions for user object
Hi Guido,
Yes you are correct, this is what is happening. But I believe the reason
that the inherit on existing objects is not checked is due to the adminsdholder.
The user is question is a member of the builtin\server operators group,
therefore when I set the user object to inherit the permissions, it resets
itself to unchecked after roughly 15mins.
I now have a problem, my global group I which I have delegated permissions
to on an OU must be a member of the Builtin\Server Operators group. If the
inherit flag is reset after 10mins, how can I get this user object to be able to
administer other users who are also members of the Builtin\Server Operators
group?
If I had the choice, I wouldn't use the builtin groups, however this is
managements call.
thanks
"Grillenmeier, Guido" <[EMAIL PROTECTED]> wrote:
"Grillenmeier, Guido" <[EMAIL PROTECTED]> wrote:
sounds to me as if you've not set the permission to _inherit_ down to existing objects - check in the Advanced tab of the security editor (the tab that displays the permissions on your OU in ADUC) and see if your Full Control permission are set for User Objects (which will then automatically inherit down to user objects within this OU). If you've set the permission to all object, you'll explicitely have to set the scope of the permission to apply to "This object and all child objects" (or just to the child objects) - this will then inherit the permission to objects within the OU./Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Donnerstag, 25. August 2005 10:46
To: Active
Subject: [ActiveDir] OU permissions for user objectHi,I've created an OU and I have delegated a security group the Create/Delete User Object with Full Permissions.I have also delegated the 'Create, Delete & Manage User Account' right with F/CI only want this security group to be able to manage user accounts in this OU and modify the users details/group membership.The problem I have is that I can't enable/disable a user or modify the user's details on an account which already exists.If I create a new account, I can do all the delegated tasks set, but on existing accounts I get error messages such as "you have insufficient rights to perform this operation" or the details are greyed out.Any idea's where I can check?Iain__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Start your day with Yahoo! - make it your home page
