Re: how to restrict users to search in their own Organizational Unit
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Sat, 16 Dec 2006 11:58:35 -0000
I think that you already have enought information to do that.
You can:
1- Create a Security Group and deny the read permission to certain OUs then Place the MOSS administrators that Security group so they can't have read access to that OUS.
2- Create a Security Group place the required users in that group, then MOSS Administrators should relate the AD security groups with MOSS security group.
3- In future users that need to access to the sites can be placed directly on AD security group, and because these security groups already have a direct relationship with MOSS security groups they'll be granted the correct permission.
Now, as Herb stated in last post (I didn't understand it at first - Sorry Herb), you can have problems related to the maintenance of the group membership, because you're dealling with many OUs and Users, so you should write a script to automate the process of mantaining the group membership, and you can also use another script to define the new permissions, add users etc.
--
*************************************************
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA + Exchange + MSCE
*************************************************
<lao.nightwolf@xxxxxxxxx> wrote in message news:1166196737.575054.60060@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks everyone for your contribution.
However the most important thing that we want to establish is that
MOSS2007 Admins (some of our customers are Sharepoint Admins) cannot
see other Organizational Units and their users.
Herb Martin schreef:
> I'm my opinion, at the end, even if you implement scripts, it's all > about
> groups... You can't do this by user scope, you must use groups, so why
> mess with defaults when we can take advantage of MOSS capabilities.
What is MOSS?
"Microsoft Office SharePoint Server (MOSS)"
Agree about Groups, but the point was that maintaining the membership
of the group as you add, delete, and move users among OUs needs to
be automated -- especially if security depends on it (which I am not
convinced of in this scenario but did seem to be his goal.)
With a Script you can schedule it to to regular maintenance on the
groups so that they stay consistent with OU memberships.
And he asked how he was supposed to do all this for MANY OUs
even initially. Answer: Write a script.
>> In a large domain, manually ensuring new users have
>> the correct group membership (when failure to do so
>> will expose a security hole rather than allow access
>> and thus have the user complaining) is a very easy
>> thing to mess up.
>
> Yes I agree in this point, that's why I suggested to take advantage of
> MOSS Groups and AD Groups.
> Pretty easy (In my opinion)
Maybe MOSS is some automatic group maintenance I don't
know about -- which is fine and if that is so it will perform
exactly the same goal as the script idea as long as it also
handles the initial setup that concerned the poster.
The point of the script was to AUTOMATE, not to build the
script for the sake of a script.
> Create MOSS security groups, relate them with AD groups then when a new
> user is needed just place it in the correct group.
That is the ISSUE: Most peole will not be able to ensure
that such group memberships are maintained over time if
it involves manual steps AND requires one "remember"
to do them.
> If MOSS Admins need to administer users and/or group membership, just
> create a mmc console and delegate the proper rights for them.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
.
- References:
- how to restrict users to search in their own Organizational Unit
- From: lao . nightwolf
- Re: how to restrict users to search in their own Organizational Unit
- From: Jorge Silva
- Re: how to restrict users to search in their own Organizational Unit
- From: lao . nightwolf
- Re: how to restrict users to search in their own Organizational Unit
- From: Herb Martin
- Re: how to restrict users to search in their own Organizational Unit
- From: MPerrault
- Re: how to restrict users to search in their own Organizational Unit
- From: Herb Martin
- Re: how to restrict users to search in their own Organizational Unit
- From: Jorge Silva
- Re: how to restrict users to search in their own Organizational Unit
- From: Herb Martin
- Re: how to restrict users to search in their own Organizational Unit
- From: Jorge Silva
- Re: how to restrict users to search in their own Organizational Unit
- From: Herb Martin
- Re: how to restrict users to search in their own Organizational Unit
- From: lao . nightwolf
- how to restrict users to search in their own Organizational Unit
- Prev by Date: Re: Group Policy without ICMP
- Next by Date: Re: removing second DC from forest
- Previous by thread: Re: how to restrict users to search in their own Organizational Unit
- Next by thread: Upgrade NT DC to Active Directory
- Index(es):
Relevant Pages
|
