Re: Delegation of Control
- From: "Cary Shultz" <cwshultz@xxxxxxxx>
- Date: Mon, 6 Mar 2006 04:46:34 -0500
Dang it!
KJ, you have posted that once. I forgot about that. Thank you for
'reminding' me!
--
Cary W. Shultz
Roanoke, VA 24012
"kj" <kj@xxxxxxxxxxx> wrote in message
news:uwkJa1NQGHA.532@xxxxxxxxxxxxxxxxxxxxxxx
DSREVOKE can document (/report) the delegations to domain objects and OU's
and also "revoke" them (genrally).
It's not a "wizard" by any means, unless you compare it to searching and
documenting by hand.
--
/kj
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx> wrote in
message news:ukA7GiNQGHA.5092@xxxxxxxxxxxxxxxxxxxxxxx
In news:e1kuz3IQGHA.564@xxxxxxxxxxxxxxxxxxxx,
Cary Shultz <cwshultz@xxxxxxxx> stated, which I commented on below:
Spin,
In addition to what PaulW has stated....
Please note that if you do use the Delegation Wizard there is really
no place where you can look to see what things you have changed other
than the objects themselves. In other words, there is no 'report'
that is created when you use the Delegation Wizard. You will really
need to document this so that you will know exactly who (better to
use groups than user account objects) has been given what!
Excellent point, Cary.
I would like to add, there is no "undelegate" wizard. So if a delegated
user were to change their job and were to be moved to a different OU,
(assuming the delegated user was picked out of the OU they are to
delegate), their permissions still remain and they can still alter
objects. One would need to go into the Security tab of the OU (Adv View)
to manually remove them.
Just an FYI, when I demo delegations in a classroom setting by picking a
user in a specific OU, I would then move the delegated user to a
different OU. I will then ask the class if the delegated user I just
moved still has control in the OU I just moved them from. Surprisingly,
about 75% or more think they no longer have permissions to that OU
because I moved them, and the class usually consists of current AD
network administrators or IT managers.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook
Express or any other newsreader), and configure a news account, pointing
to news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows
you to easily find, track threads, cross-post, sort by date, poster's
name, watched threads or subject.
It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile
Infinite Diversities in Infinite Combinations
"Very funny Scotty. Now, beam down my clothes."
The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy.
.
- Follow-Ups:
- Re: Delegation of Control
- From: kj
- Re: Delegation of Control
- References:
- Delegation of Control
- From: Spin
- Re: Delegation of Control
- From: Cary Shultz
- Re: Delegation of Control
- From: Ace Fekay [MVP]
- Re: Delegation of Control
- From: kj
- Delegation of Control
- Prev by Date: GPO does not apply
- Next by Date: Re: Problem with HP System Management Homepage in domain Controlers
- Previous by thread: Re: Delegation of Control
- Next by thread: Re: Delegation of Control
- Index(es):
Relevant Pages
|
