nope, can't be done natively - there is no such granularity
in granting the "modify permission" AD rights - either you have it for the whole
object and any of it's permissions, or you don't.
you'd need a proxy approach to make this work, i.e. some
other process that is executed with higher privs than the user himself performs
a controlled change.
you might want to check out the following tools, if this
feature is important for you:
- Quest ActiveRoles Server
- BindView bv-Admin for Windows
- NetIQ Directory and Resource
Admin
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Montag, 30. Januar 2006 22:56
To: [email protected]
Subject: [ActiveDir] Selectively grant permission modification?
Hi,
Just wanted to double check on
this:
Is it possible to delegate someone
the ability to modify permissions of an object, but only allow them to modify
SOME of those permissions? For example, an email admin who
normally does not modify object ACLs, but who may need to grant
the "SEND AS" object permission to random security
principals throughout the org.
Sorry if this is a repeat question
or answer is obvious (I can take a stab at it!).
Thanks,
DaveC
To find out more about Reuters visit www.about.reuters.com
Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
