Re: How to copy ACLs from one OU to another?
- From: "D Dub" <DDub@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 7 Apr 2005 16:05:03 -0700
Thanks for your reply.
On the design question... Maybe an example will make my situation clearer. I
have an OU for each remote office (City), and under the City OU are 3 OUs,
one each for Users, Groups, and Computers. I want to grant local and
corporate personnel certain priveleges for administration in these OUs, but
only allowing user objects to exist in the Users OU, only Groups in the
Groups OU, etc. Then certain admin groups may have more or less rights-- e.g.
the local city admins may reset passwords and change group memberships, but
only the corporate IT admins can create or delete users and groups. So, most
of the permissioning is happening at the outside of the tree (on the last OU
objects). This model will be replicated for 30 or more locations, so I would
have to recreate all those custom permissions for the User/Group/Computer OUs
under every other City OU.
Does this design still pose a performance issue in your opinion?
Thanks again...
"Chriss3 [MVP]" wrote:
> Hello,
> This may is a design question? If you can change the design of your
> directory to take use of inheritance I strongly recommend that. If you have
> the option to create a top level OU and put the others within it you can
> inheritance the common permission to your child OUs.
>
> If you can't change your design to take use of inheritance, you can use
> dsacls command line tool to easy specify the command that will set the
> required permission and then just switch OU (DN) you want to apply the
> permission to. There is more advanced ways as well the require scripting or
> coding, Have a look in the ADSI newsgroups as well.
> --
> Regards
> Christoffer Andersson
> Microsoft MVP - Directory Services
>
> No email replies please - reply in the newsgroup
> ------------------------------------------------
> http://www.chrisse.se - Active Directory Tips
>
> "D Dub" <DDub@xxxxxxxxxxxxxxxxxxxxxxxxx> skrev i meddelandet
> news:9FB6688E-B758-4EC9-BF19-5281CA1A7A23@xxxxxxxxxxxxxxxx
> > Hi All,
> >
> > I have to create some very detailed access permissions on a set of of OUs
> > in
> > AD (too granular to use the delegation wizard), and then duplicate those
> > ACEs
> > on the security descriptors of many other OUs in the directory. Is there a
> > tool or method which will let me copy permissions between OUs in this way?
> > I
> > am trying to save myself hours of redundant manual permissioning
> > throughout
> > the tree.
> >
> > Any guidance would be greatly appreciated!
> >
> > Thank you.
>
>
>
.
- Follow-Ups:
- Re: How to copy ACLs from one OU to another?
- From: Chriss3 [MVP]
- Re: How to copy ACLs from one OU to another?
- References:
- How to copy ACLs from one OU to another?
- From: D Dub
- Re: How to copy ACLs from one OU to another?
- From: Chriss3 [MVP]
- How to copy ACLs from one OU to another?
- Prev by Date: How do you add users to local admin on clients w/o going to each P
- Next by Date: two server data/document replication
- Previous by thread: Re: How to copy ACLs from one OU to another?
- Next by thread: Re: How to copy ACLs from one OU to another?
- Index(es):
Relevant Pages
|
