Re: Delegation of groups admin. - restricted to a subset of object
- From: Dragos CAMARA <dragos_c@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 20 Jan 2007 00:26:01 -0800
hi,
OU1 = workstations+group1->member of groupmaster;delegated admin1 have full
rights
OU2=wokstations+group2->member of groupmaster;delegated admin2 have full
rights
OUmaster= groupmaster;admin1+admin2 dosent have rights here;
i dont want to argue with you but the this is the fact what i see:
he dont want to add "a certain set of computers" it's want to add only the
workstation on that OU.
"if you are delegated the right to manage group membership, you are delegated
the right to make EVERY SECURITY PRINCIPAL (users,groups,computers) a member
of that group" only if i have the rights to change the group memberof of
that security principal - and in the case of that i don't have rights on
others OU so i cant add in my group the other workstation from the others
OU's and if in my ou i have delegate only to computers to write memeberof i
can add only workstations from that ou (in most cases is sufficient to deny
write memeberof on users object).
--
Dragos CAMARA
MCSA Windows 2003 server
"Jorge de Almeida Pinto [MVP - DS]" wrote:
have you read what I posted earlier?.
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Dragos CAMARA" <dragos_c@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B432DCC7-E108-403D-9E5E-08CFA02F01A9@xxxxxxxxxxxxxxxx
why? for shure is not a direct metod, but in fact the admnistrators of
that
OU will can add on that group only the computers that he manage and not
the
others.
--
Dragos CAMARA
MCSA Windows 2003 server
"Joe Richards [MVP]" wrote:
That doesn't actually solve the problem the OP has.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Dragos CAMARA wrote:
i do like this :
place the main application group in other OU,
create a application group in each OU so the administrators can add the
computers to that group, and add this applications groups to the main
application group.
- Follow-Ups:
- Re: Delegation of groups admin. - restricted to a subset of object
- From: Joe Richards [MVP]
- Re: Delegation of groups admin. - restricted to a subset of object
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: Delegation of groups admin. - restricted to a subset of object
- References:
- Re: Delegation of groups admin. - restricted to a subset of objects
- From: Joe Richards [MVP]
- Re: Delegation of groups admin. - restricted to a subset of object
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: Delegation of groups admin. - restricted to a subset of objects
- Prev by Date: Re: Windows Firewall
- Next by Date: How to get the added date
- Previous by thread: Re: Delegation of groups admin. - restricted to a subset of object
- Next by thread: Re: Delegation of groups admin. - restricted to a subset of object
- Index(es):
Relevant Pages
|
