Re: replication monitoring rights

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: ptwilliams (ptw2001_at_hotmail.com)
Date: 01/27/05 

Date: Thu, 27 Jan 2005 00:01:58 -0000

> 1. What rights are needed to perform AD replication monitoring when not a
> domain admin?

Are we talking about viewing the status using replmon or being able to force
replication by right-clicking connection objects and choosing replicate now?

There are atomic permissions that cover this on each partition. So you will
need to configure the appropriate permissions on the Enterprise and domain
partitions. If this is what you are after let us know.

> 2. Using vbscript and the adsi interface, performing mass updates to user
> account. I have a feeling that .setinfo cannot be done as they are not
> longer domain admins, BUT, have full delegation to their users? Is there
> another permission needed for this?

How have you configured permissions and what are you trying to set.
Specific examples of failures will better help us to help you. Also, ensure
that the permissions set at the OU level are inherited by all objects within
that OU. Sometimes you'll find objects that are not set to inherit. Also,
the PDCe resets protected group members back to not inherit, etc. as defined
on the adminSDHolder object every hour. 

-- 
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
"edwardb" <dirwolf@speakeasy.net> wrote in message 
news:1106761637.9318.10.camel@localhost.localdomain...
We have recently gone through a strict security measure and removed
pretty much everyone from domain admins and started to delegate every
little task people need to do.
There are 2 things I have questions about:
1. What rights are needed to perform AD replication monitoring when not
a domain admin?
2. Using vbscript and the adsi interface, performing mass updates to
user account. I have a feeling that .setinfo cannot be done as they are
not longer domain admins, BUT, have full delegation to their users? Is
there another permission needed for this?
Thanks.

Relevant Pages

  • Re: Grant Administrative Access to a Domain Controller
    ... EVEN if you remove the permissions or set DENY ACEs or whatever you do, ... * This posting is provided "AS IS" with no warranties and confers no rights! ... If you remove domain admins group from perms in AD you remove there ... have no way to change the set of ownership. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Unable to prevent OU deletion by Domain Admins?
    ... As I said in my other post, this behaviour occurs because the domain admins ... NTFS file and folder permissions. ... properly deny deletion rights. ... important as allow rights, if not more so, since deny rights are ...
    (microsoft.public.win2000.active_directory)
  • Re: Rights and Permissions of Domain Admins group in AD
    ... > Domain Admins does have special rights in W2K from what I remember, ... > all workstations/servers will have domain admins in the local SAM of each ... >> rights and permissions from residing in the Administrators group on the ... >> domain controllers and on member servers and workstations? ...
    (microsoft.public.win2000.security)
  • Re: ACL Issue - Easy Question
    ... The problem is they need full rights to work on the DC because they are the ... >> either themselves or other people to the Domain Admins or Enterprise ... >> Administrators groups set of permissions. ...
    (microsoft.public.win2000.security)
  • Re: Unable to prevent OU deletion by Domain Admins?
    ... That's how ACLs work, or at ... Microsoft's own guidelines for parsing ACLs states that DENY ACLs ... I understand that domain admins have the delete and delete subtree ... I have a folder where Domain Users have Full control rights. ...
    (microsoft.public.win2000.active_directory)