Re: Delegation of groups admin. - restricted to a subset of objects
- From: "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Thu, 18 Jan 2007 20:01:57 +0100
the original poster states:
"only add a certain set of computers as members to a set of groups"
this is not possible!
why?
if you are delegated the right to manage group membership, you are delegated
the right to make EVERY SECURITY PRINCIPAL (users,groups,computers) a member
of that group
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Dragos CAMARA" <dragos_c@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:681B128E-7350-4731-A99F-5300694A8D9B@xxxxxxxxxxxxxxxx
i do like this :
place the main application group in other OU,
create a application group in each OU so the administrators can add the
computers to that group, and add this applications groups to the main
application group.
--
Dragos CAMARA
MCSA Windows 2003 server
"Gaute" wrote:
We have delegated administraion of computer objects (workstations) for
specific OUs. So if you are a workstation admin in one OU you can only
manage
the workstations in this OU and not other OUs (Full control).
We are now creating application groups where workstations are to be
members. The application groups are common for all in the domain.
We want to delegate administration of the application groups (to
add/remove
members of the application group) to the workstation admins. We can
create a
separate delegated group for this. But the delegated administrator of the
application group should only be able to add and remove workstations
which
are within the OU where he has delegated rights, not other workstations
in
the domain. Workstations within an OU are in addition member of separate
groups.
Is this possible within AD or do we need a web solution? Any suggestions?
Thanks
Gaute
.
- Follow-Ups:
- Re: Delegation of groups admin. - restricted to a subset of objects
- From: Joe Richards [MVP]
- Re: Delegation of groups admin. - restricted to a subset of objects
- Prev by Date: Re: Join existing tree to forest
- Next by Date: Re: NTDS Rplication Event 1864
- Previous by thread: Re: Delegation of groups admin. - restricted to a subset of objects
- Next by thread: Re: Delegation of groups admin. - restricted to a subset of objects
- Index(es):
Relevant Pages
|
