V
Vlad
Hello All,
Please help me to accomplish the solution for the Scenario:
Windows 2003 domain: mydomain.com
NewAdmin is a member of CN=Users,CN=mydomain,CN=com. NewAdmin is not a
member of any Administrator groups.
BadUser is a member of CN=Users,CN=mydomain,CN=com. BadUser is not a
member of any Administrator groups.
There is an OU: OU=MyOU,CN=mydomain,CN=com
WE WANT:
- to delegate the ability to create, rename and delete Organizational
Units to NewAdmin. These OUs should be sub-OUs of the
OU=MyOU,CN=mydomain,CN=com.
- to delegate the ability to create, rename and delete Computers in
the created OUs.
WE DO NOT WANT:
- NewAdmin to be able to delegate any permissions to the sub-OUs which
were created by the NewAdmin in the OU=MyOU,CN=mydomain,CN=com.
UNWANTED RESULTS OF THE SCENARIO:
NewAdmin creates OU: OU=NewOU,OU=MyOU,CN=mydomain,CN=com
NewAdmin delegates Full Control to BadUser over
OU=NewOU,OU=MyOU,CN=mydomain,CN=com.
TRIED, BUT DID NOT HELP:
- Tried to delegate the control with the help of the Delegation of
Control Wizard.
- Tried to edit the Special Permissions on the
OU=MyOU,CN=mydomain,CN=com with and without "Allow inheritable
permissions from the parent to propagate to this object and all child
objects" checked.
- Tried to edit the Special Permissions on the
OU=MyOU,CN=mydomain,CN=com as
First set Full Control to Deny and then allowed only
List Contents
Read All Properties
Read Permissions
Create Computer Object
Delete Computer Object
Create Organizational Unit Object
Delete Organizational Unit Object
for the "Apply onto:
This object and all child objects
Organizational Unit objects"
POSSIBLE REASON OF FAILURE:
Wrong settings in the
- Permissions
- Apply onto
- Object Name
- Inheritance
Thank you for your help.
Vlad
Please help me to accomplish the solution for the Scenario:
Windows 2003 domain: mydomain.com
NewAdmin is a member of CN=Users,CN=mydomain,CN=com. NewAdmin is not a
member of any Administrator groups.
BadUser is a member of CN=Users,CN=mydomain,CN=com. BadUser is not a
member of any Administrator groups.
There is an OU: OU=MyOU,CN=mydomain,CN=com
WE WANT:
- to delegate the ability to create, rename and delete Organizational
Units to NewAdmin. These OUs should be sub-OUs of the
OU=MyOU,CN=mydomain,CN=com.
- to delegate the ability to create, rename and delete Computers in
the created OUs.
WE DO NOT WANT:
- NewAdmin to be able to delegate any permissions to the sub-OUs which
were created by the NewAdmin in the OU=MyOU,CN=mydomain,CN=com.
UNWANTED RESULTS OF THE SCENARIO:
NewAdmin creates OU: OU=NewOU,OU=MyOU,CN=mydomain,CN=com
NewAdmin delegates Full Control to BadUser over
OU=NewOU,OU=MyOU,CN=mydomain,CN=com.
TRIED, BUT DID NOT HELP:
- Tried to delegate the control with the help of the Delegation of
Control Wizard.
- Tried to edit the Special Permissions on the
OU=MyOU,CN=mydomain,CN=com with and without "Allow inheritable
permissions from the parent to propagate to this object and all child
objects" checked.
- Tried to edit the Special Permissions on the
OU=MyOU,CN=mydomain,CN=com as
First set Full Control to Deny and then allowed only
List Contents
Read All Properties
Read Permissions
Create Computer Object
Delete Computer Object
Create Organizational Unit Object
Delete Organizational Unit Object
for the "Apply onto:
This object and all child objects
Organizational Unit objects"
POSSIBLE REASON OF FAILURE:
Wrong settings in the
- Permissions
- Apply onto
- Object Name
- Inheritance
Thank you for your help.
Vlad