Hi
All !
While
reading Best Practices for Delegating Active Directory Administration
(http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en,
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en)
I
can see that MSFT recommends using the following permissions while delegating
'Operation Master Roles Management':
Seize the Schema Master Role
WP
on cn=Schema, cn=Configuration, dc=<ForestRootDomain> to modify the
fSMORoleOwner attribute
Extended
Right Change-Schema-Master on cn=Schema, cn=Configuration,
dc=<ForestRootDomain>
The
same thing (applying permissions to 'cn=Schema') I can see in many other recommendations
there.
Why
it is required to apply permissions directly to 'cn=Schema' container and are there any other solutions?
Thanks,
Ivan.
