Re: Unable to prevent OU deletion by Domain Admins?
From: Josh (joshuabrown_at_gmail.com)
Date: 11/02/04
- Next message: Matt: "Re: Your password will expire in X days."
- Previous message: Stanser: "Re: How to Override child domain using Enterprise Admin"
- In reply to: Mark Renoden [MSFT]: "Re: Unable to prevent OU deletion by Domain Admins?"
- Next in thread: ptwilliams: "Re: Unable to prevent OU deletion by Domain Admins?"
- Reply: ptwilliams: "Re: Unable to prevent OU deletion by Domain Admins?"
- Messages sorted by: [ date ] [ thread ]
Date: 2 Nov 2004 08:10:13 -0800
Mark,
Thanks, but that doesn't really answer my question. We have a
situation where we want to prevent a particular OU from being
accidentally deleted. Trusting our domain admins doesn't prevent them
from making very human mistakes. This looks like a bug to me--why can
I not create an OU that denies deletion rights to domain admins, when
the ACL appears that is should do precisely that?
I challenge anyone to try what I have outlined above and get it to
properly deny deletion rights. If this right is not working properly,
how am I to have confidence in any of our settings? Deny rights is as
important as allow rights, if not more so, since deny rights are
supposed to trump allow rights.
Josh
"Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message news:<uP56r$FwEHA.1988@TK2MSFTNGP12.phx.gbl>...
> Hi Josh
>
> It's better practice to give rights to a group of users rather than take
> them away from Domain Admins. You should never alter the rights of a
> builtin group or user. You're better off creating a group for the purpose
> of administering OU's, delegating permissions to this group and keeping your
> Domain Admins group to a very select few that can be trusted.
>
> Kind regards
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: markreno@online.microsoft.com
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Josh" <joshuabrown@gmail.com> wrote in message
> news:e7d88c81.0411011409.c1d654b@posting.google.com...
> >I am trying (unsuccessfully) to prevent accidental deletion of several
> > OUs by our domain admins. For testing purposes, I have done this:
> >
> > 1) Create new OU, removed inheritance of permissions.
> > 2) Removed all groups from the permissions
> > 3) Added Domain Admins with Full Control
> > 4) Explicity set Deny rights for Domain Admins for Delete, Delete
> > Subtree, and Delete Organizational Object.
> >
> > Create new user, add user to Domain Admins. Log in with user, and the
> > OU can be deleted without warning.
> >
> > The only way I have gotten this to work is by creating a user in the
> > OU that I want to protect, and setting Deny All rights for the Domain
> > Admins group on that user. That prevents Domain Admins from deleting
> > the parent OU, but it is a pretty bad solution...and it doesn't
> > explain why the Domain Admins can delete the OU when all relevant
> > deletion ACLs are set to Deny.
> >
> > Any thoughts?
- Next message: Matt: "Re: Your password will expire in X days."
- Previous message: Stanser: "Re: How to Override child domain using Enterprise Admin"
- In reply to: Mark Renoden [MSFT]: "Re: Unable to prevent OU deletion by Domain Admins?"
- Next in thread: ptwilliams: "Re: Unable to prevent OU deletion by Domain Admins?"
- Reply: ptwilliams: "Re: Unable to prevent OU deletion by Domain Admins?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
