Re: How to copy ACLs from one OU to another?
- From: "Chriss3 [MVP]" <noSpamHere@xxxxxxxxxx>
- Date: Sat, 9 Apr 2005 16:27:01 +0200
Sounds like a good design, I suggest you for go with the dsacls tool.
Search on Google for "dsacls" to find the syntax.
--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services
No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips
"D Dub" <DDub@xxxxxxxxxxxxxxxxxxxxxxxxx> skrev i meddelandet
news:9A436812-9811-46B4-8A33-C1035D7067CF@xxxxxxxxxxxxxxxx
> Thanks for your reply.
>
> On the design question... Maybe an example will make my situation clearer.
> I
> have an OU for each remote office (City), and under the City OU are 3 OUs,
> one each for Users, Groups, and Computers. I want to grant local and
> corporate personnel certain priveleges for administration in these OUs,
> but
> only allowing user objects to exist in the Users OU, only Groups in the
> Groups OU, etc. Then certain admin groups may have more or less rights--
> e.g.
> the local city admins may reset passwords and change group memberships,
> but
> only the corporate IT admins can create or delete users and groups. So,
> most
> of the permissioning is happening at the outside of the tree (on the last
> OU
> objects). This model will be replicated for 30 or more locations, so I
> would
> have to recreate all those custom permissions for the User/Group/Computer
> OUs
> under every other City OU.
>
> Does this design still pose a performance issue in your opinion?
>
> Thanks again...
>
>
> "Chriss3 [MVP]" wrote:
>
>> Hello,
>> This may is a design question? If you can change the design of your
>> directory to take use of inheritance I strongly recommend that. If you
>> have
>> the option to create a top level OU and put the others within it you can
>> inheritance the common permission to your child OUs.
>>
>> If you can't change your design to take use of inheritance, you can use
>> dsacls command line tool to easy specify the command that will set the
>> required permission and then just switch OU (DN) you want to apply the
>> permission to. There is more advanced ways as well the require scripting
>> or
>> coding, Have a look in the ADSI newsgroups as well.
>> --
>> Regards
>> Christoffer Andersson
>> Microsoft MVP - Directory Services
>>
>> No email replies please - reply in the newsgroup
>> ------------------------------------------------
>> http://www.chrisse.se - Active Directory Tips
>>
>> "D Dub" <DDub@xxxxxxxxxxxxxxxxxxxxxxxxx> skrev i meddelandet
>> news:9FB6688E-B758-4EC9-BF19-5281CA1A7A23@xxxxxxxxxxxxxxxx
>> > Hi All,
>> >
>> > I have to create some very detailed access permissions on a set of of
>> > OUs
>> > in
>> > AD (too granular to use the delegation wizard), and then duplicate
>> > those
>> > ACEs
>> > on the security descriptors of many other OUs in the directory. Is
>> > there a
>> > tool or method which will let me copy permissions between OUs in this
>> > way?
>> > I
>> > am trying to save myself hours of redundant manual permissioning
>> > throughout
>> > the tree.
>> >
>> > Any guidance would be greatly appreciated!
>> >
>> > Thank you.
>>
>>
>>
.
- References:
- How to copy ACLs from one OU to another?
- From: D Dub
- Re: How to copy ACLs from one OU to another?
- From: Chriss3 [MVP]
- Re: How to copy ACLs from one OU to another?
- From: D Dub
- How to copy ACLs from one OU to another?
- Prev by Date: Re: AD printers HELP
- Next by Date: RE: Reinstall 1st domain controller
- Previous by thread: Re: How to copy ACLs from one OU to another?
- Next by thread: Re: How to copy ACLs from one OU to another?
- Index(es):
Relevant Pages
|
Loading
