Re: how to restrict users to search in their own Organizational Unit

I'm my opinion, at the end, even if you implement scripts, it's all about
groups... You can't do this by user scope, you must use groups, so why
mess with defaults when we can take advantage of MOSS capabilities.


What is MOSS?
"Microsoft Office SharePoint Server (MOSS)"

Agree about Groups, but the point was that maintaining the membership
of the group as you add, delete, and move users among OUs needs to
be automated -- especially if security depends on it (which I am not
convinced of in this scenario but did seem to be his goal.)

With a Script you can schedule it to to regular maintenance on the
groups so that they stay consistent with OU memberships.

And he asked how he was supposed to do all this for MANY OUs
even initially. Answer: Write a script.

In a large domain, manually ensuring new users have
the correct group membership (when failure to do so
will expose a security hole rather than allow access
and thus have the user complaining) is a very easy
thing to mess up.

Yes I agree in this point, that's why I suggested to take advantage of
MOSS Groups and AD Groups.
Pretty easy (In my opinion)

Maybe MOSS is some automatic group maintenance I don't
know about -- which is fine and if that is so it will perform
exactly the same goal as the script idea as long as it also
handles the initial setup that concerned the poster.

The point of the script was to AUTOMATE, not to build the
script for the sake of a script.

Create MOSS security groups, relate them with AD groups then when a new
user is needed just place it in the correct group.

That is the ISSUE: Most peole will not be able to ensure
that such group memberships are maintained over time if
it involves manual steps AND requires one "remember"
to do them.

If MOSS Admins need to administer users and/or group membership, just
create a mmc console and delegate the proper rights for them.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]



.

Relevant Pages

  • Re: how to restrict users to search in their own Organizational Unit
    ... are Sharepoint admins) cannot see user in other Organizational Units. ... What is MOSS? ... Answer: Write a script. ... the correct group membership (when failure to do so ...
    (microsoft.public.windows.server.active_directory)
  • Re: how to restrict users to search in their own Organizational Unit
    ... MOSS2007 Admins (some of our customers are Sharepoint Admins) cannot ... What is MOSS? ... Answer: Write a script. ... the correct group membership (when failure to do so ...
    (microsoft.public.windows.server.active_directory)
  • Re: how to restrict users to search in their own Organizational Unit
    ... 1- Create a Security Group and deny the read permission to certain OUs then Place the MOSS administrators that Security group so they can't have read access to that OUS. ... Now, as Herb stated in last post, you can have problems related to the maintenance of the group membership, because you're dealling with many OUs and Users, so you should write a script to automate the process of mantaining the group membership, and you can also use another script to define the new permissions, add users etc. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing the local admin password base on the computers OU
    ... The intent is to put thsi script in a GPO that runs everytime the ... allowing us to cahnge local admin passwords pretty ... Your script appears to check for group membership. ... object and use the Parent method to retrieve the ADsPath of the parent ...
    (microsoft.public.scripting.vbscript)
  • Re: AD group logon script question
    ... The OU is the parent container of the user object, ... It is straightforward to test for group membership. ... the logon script should check group membership to decide ... > objUser.Put "primaryGroupID", intPrimaryGroupToken ...
    (microsoft.public.scripting.vbscript)