Yep, completely agree. Remove the right to create OUs. I
have mentioned this on the list multiple times as the creator/owner issue.
What you should do is define a fixed structure that is used
by all delegated groups and when a new delegated group spins up, you build the
entire OU structure and then they have at it.
Also why isn't MIIS being used to handle all user
properties?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Thursday, October 06, 2005 3:16 PM
To: [email protected]
Subject: RE: [ActiveDir] Question about Delegation & Object Owner.
If you create an object, you are the owner of the object
and have full control over it. Seems like your options include removing their
create/delete OU rights and making them go through you, or setting up a proxied
system (e.g. web page) that will do the creation for them.
You could run a script that takes ownership of all OUs and
resets permissions on them, but that will be reactive and you may still end up
with user accounts or other things that the admins created manually inbetween
runs of the script.
Hunter
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Thursday, October 06, 2005 12:09 PM
To: [email protected]
Subject: [ActiveDir] Question about Delegation & Object Owner.
Hello,
In my university, I had succesfully
delegated to each admins responsible of their OU the following
tasks:
-> Creste.delete groups.
-> Create/delete computers
-> Create/delete OUs..
-> Only Modify Users properties:
Admins have no right to create/delete users because this task is done
by our MIIS 2003.
BUT, i noiticed that in some OUs, users are
still created manually, and after searching, it was due to the fact that admins
have the rights to create child OUs, they become automatically the owner of
their OU so they can easily modify the ACLs to have full control
.. :(
So my question : is there a way to
grant them create/delete OU without having them to be the owner of
their OU ?
I did not find a set of properties in
dssec.dat concerning my needs.
Thanks for input.
Cheers,
Yann
