Hi, the user will have full control to all objects but to members that belong to protected groups such as domain admins, print op,etc.. This is due to the adminsdholder mechanism. For more information see http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 and adminsdholder threads that were discussed in this list. Yann ________________________________
De: [EMAIL PROTECTED] de la part de Coleman, Hunter Date: lun. 28/11/2005 21:11 À: [email protected] Objet : RE: [ActiveDir] When is a domain Admin not a domain Admin? Well, if they truly have full control over all objects, then they could add themselves into the Domain Admins group. Moot point... ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Morley, Scott Sent: Monday, November 28, 2005 12:59 PM To: [email protected] Subject: [ActiveDir] When is a domain Admin not a domain Admin? All, For reasons too long and boring to mention, I have been asked about the following scenario: Create a regular normal everyday user Give that user full control over all objects in the domain The user is NOT part of the Domain Admins group Does the membership of the domain Admins group provide some additional rights/functionality to a user? Or is full access to all objects equivalent to domain admin rights? Scott Morley Active Directory Manager MSCE 2000, CCNA, CNE, CNI "Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. " - Douglas Adams (1952-2001) This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged. The information is intended only for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying or distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field.
<<winmail.dat>>
