Weird Permissions Problem
From: Dave Clark (dave.clark_at_ddess.org)
Date: 06/03/04
- Next message: Eric Fleischman [MSFT]: "Re: logon server"
- Previous message: DLN: "Integrating Unix logons into Windows AD"
- Next in thread: Ron Stewart: "Re: Weird Permissions Problem"
- Reply: Ron Stewart: "Re: Weird Permissions Problem"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 3 Jun 2004 07:57:09 -0700
When logging into a DOMAIN CONTROLLER as what we refer to
as an "OU ADMINISTRATOR" (i.e. does not have DOMAIN ADMIN
rights). All my AD permissions work properly while in AD
Users and Computers. They can only do what we have given
them rights to. However, with AD Users and Computers
running on a WORKSTATION they can do much, much more.
Example in one container we created a OU ADMIN
container. Here at the server logged in as an ou admin
they cannot make any changes to any of the users in this
OU. This is correct.
However, logged in as the same user on a workstation
(which has ADMIN rights to the local workstation), they
can adjust those objects.
WHY are the permissions not working properly apparently?
What am I missing that having AD users and computers on a
local workstation allows changes, but logging into a
domain controller does not and works properly.
I can't for the life of me see where they are getting any
permissions to do this. They are only in 2 groups, and
neither of those groups have any permissions to these
objects.
- Next message: Eric Fleischman [MSFT]: "Re: logon server"
- Previous message: DLN: "Integrating Unix logons into Windows AD"
- Next in thread: Ron Stewart: "Re: Weird Permissions Problem"
- Reply: Ron Stewart: "Re: Weird Permissions Problem"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
