Advertise

Home

Site Map

About

Location: List Archives

Register | Login

Syndicate

	List Posts
	All Site Articles

Friends

Friends

ScriptLogic

List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Unanswered Active Topics

Forums >ActiveDir Mail List Archive >List Archives

Subject: ect Owner.

You are not authorized to post a reply.

Author

Messages

Yann Tiroa User is Offline

User is Offline

Posts:0

10/07/2005 5:35 AM
________________________________ De: ActiveDir-owner@xxxxxxxxxxxxxxxxxx de la part de joe Date: ven. 07/10/2005 02:21 À: ActiveDir@xxxxxxxxxxxxxxxxxx Objet : RE: [ActiveDir] Question about Delegation & Object Owner. Yep, completely agree. Remove the right to create OUs. I have mentioned this on the list multiple times as the creator/owner issue. What you should do is define a fixed structure that is used by all delegated groups and when a new delegated group spins up, you build the entire OU structure and then they have at it. Also why isn't MIIS being used to handle all user properties? ________________________________ From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Coleman, Hunter Sent: Thursday, October 06, 2005 3:16 PM To: ActiveDir@xxxxxxxxxxxxxxxxxx Subject: RE: [ActiveDir] Question about Delegation & Object Owner. If you create an object, you are the owner of the object and have full control over it. Seems like your options include removing their create/delete OU rights and making them go through you, or setting up a proxied system (e.g. web page) that will do the creation for them. You could run a script that takes ownership of all OUs and resets permissions on them, but that will be reactive and you may still end up with user accounts or other things that the admins created manually inbetween runs of the script. Hunter ________________________________ From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of TIROA YANN Sent: Thursday, October 06, 2005 12:09 PM To: ActiveDir@xxxxxxxxxxxxxxxxxx Subject: [ActiveDir] Question about Delegation & Object Owner. Hello, In my university, I had succesfully delegated to each admins responsible of their OU the following tasks: -> Creste.delete groups. -> Create/delete computers -> Create/delete OUs.. -> Only Modify Users properties: Admins have no right to create/delete users because this task is done by our MIIS 2003. BUT, i noiticed that in some OUs, users are still created manually, and after searching, it was due to the fact that admins have the rights to create child OUs, they become automatically the owner of their OU so they can easily modify the ACLs to have full control .. :( So my question : is there a way to grant them create/delete OU without having them to be the owner of their OU ? I did not find a set of properties in dssec.dat concerning my needs. Thanks for input. Cheers, Yann >

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > ect Owner.

ActiveForums 3.7



Search List Posts >>

Friends

Friends

Members

Members

	Membership:
	Latest:NilsK
	New Today:1
	New Yesterday:1
	Overall:4316

	People Online:
	Visitors:53
	Members:0
	Total:53

Online Now:

Articles

Articles

All Articles (44)

Active Directory (17)

DNS (1)

Group Policy (3)

Tips and Tricks (9)

Windows Server (4)

Related Links

Related Links

Microsoft AD Home

Open A Socket!

GPOGUY

Ulf B. Simon-Weidner's site

Gil Kirkpatrick's Blog

Kim Cameron's Identity Blog

DirTeam Weblogs

Laura Hunter's Blog

Brett Shirley's Blog

Brian Desmond's Blog

Michael B. Smith's Blog

Jadonex

Eric Fleischman's Blog

Ads

Copyright 2008 ActiveDir.org
Terms Of Use