Delegating permissions to move user accounts

  • Thread starter Thread starter Matt Nowell
  • Start date Start date
M

Matt Nowell

Morning,

We're currently in the midst of implementing Group Policy, and we're looking
to delegate the administration of the policies outside of the traditional
"server" group. In order to do this, we need to delegate the ability to
move computer and user accounts around between OU's.

Microsoft fortunately has a KB article (818091 if you're interested) that
details how to grant permission to move computer accounts to a user or
group. Unfortunately, there's no corresponding article for user accounts.
In an ideal world, the permissions would fall into the constraints below:

ALLOWED:
Move user accounts between appropriately permissioned OU's.

NOT ALLOWED:
Any other user account modifications, including password modification, logon
name modification, group membership changes or the ability to create/delete
user accounts.

Has anybody out there determined independently what combination of advanced
permissions would be required to do this?

Thanks in advance,

Matt Nowell
 
Hi together!

Interestingly, I'm standig right in front of the same problem as Matt.

And I'm sorry Matjaz, but this is an answer which makes me not very
satisfied, because with this method delegated users gain the access right to
delete and create user accounts. Exactly, this is unwanted. :-(

Does anybody else have other ideas?

Regards,
Daniel
 
Hi Matjaz,

sorry, but I think we misunderstand each other. In the knowledgebase articel
it's said, that the one, who want's to move computer accounts needs the
following permissions: Create/Delete Computer Accounts AND Write All
Permissions.

That means, if the method for moving user accounts is similar, the user
who's delegated to move user accounts needs the same permissions
("Create/Delete User Accounts" and "Write All Permissions"). And exactly
that's the problem: the user gains the right to change all attributes of the
user, but this is absolutely unwanted. :-(

Do you have any other ideas to solve this problem?

Best regards,
Daniel
 
Yes sorry Daniel, in reply I was focusing on computer objects and not user
object. You are right. Write all permission is a serious security flay, but
you can start by first delegation permission to some attributes like
distinguish name (DN) which is basicaly a LDAP path of a object and go from
there.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 
Hi Matjaz, Hi Matt,

with Matjaz hint (thank you very much!), to try less rights, I discovered,
that the must-have rights are:
"Create/Delete User Accounts" applies to "This object and child objects"
"Write Name" (uppercase "N") applies to "User objects properties"
"Write name" (lowercase "n") applies to "User objects properties"

I don't have any idea, what's the difference between "Name" and "name".

Sadly, it wasn't such easy to search for the an attribute like "Write
distinguished name" because there is none. I think, that "name" or "Name" is
the equivalance. But what's the other one?

Unfortunatly the delegated user has the ability to create and delete user
accounts. If there is still a workaround left, please let me know.

Best Regards,
Daniel
 
As I recall, the Name attribute would be Common Name (cn attribute) and name
would be RDN (Relative Distinguished Name).

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 
Back
Top