Re: Delegation of groups admin. - restricted to a subset of object

hi,
it's true what you say, if i have read rights on that ou (on that security
principal) where that security principal reside, if i have deny read on that
ou i can't add because i can't find them.
--
Dragos CAMARA
MCSA Windows 2003 server


"Jorge de Almeida Pinto [MVP - DS]" wrote:

Dragos,

Adding something to a group can be done in the following ways:
(1) Open the group, goto the members tab and add something as a member
(2) Open something, goto to the member of tab and add the group that
something should be member of

In BOTH cases, wether you like it or not, you are writing the MEMBER
attribute of the group and NOT the MEMBEROF attribute (which are linked
pairs) MEMBEROF is NEVER written by the person changing the group
membership. It is changed by each individual DC as soon as the new value in
the MEMBER attribute replicates in.

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Dragos CAMARA" <dragos_c@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BECACAC6-02A2-4B14-9BC9-14C127A23745@xxxxxxxxxxxxxxxx
hi,
OU1 = workstations+group1->member of groupmaster;delegated admin1 have
full
rights
OU2=wokstations+group2->member of groupmaster;delegated admin2 have full
rights
OUmaster= groupmaster;admin1+admin2 dosent have rights here;

i dont want to argue with you but the this is the fact what i see:
he dont want to add "a certain set of computers" it's want to add only the
workstation on that OU.
"if you are delegated the right to manage group membership, you are
delegated
the right to make EVERY SECURITY PRINCIPAL (users,groups,computers) a
member
of that group" only if i have the rights to change the group memberof of
that security principal - and in the case of that i don't have rights on
others OU so i cant add in my group the other workstation from the others
OU's and if in my ou i have delegate only to computers to write memeberof
i
can add only workstations from that ou (in most cases is sufficient to
deny
write memeberof on users object).
--
Dragos CAMARA
MCSA Windows 2003 server


"Jorge de Almeida Pinto [MVP - DS]" wrote:

have you read what I posted earlier?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Dragos CAMARA" <dragos_c@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B432DCC7-E108-403D-9E5E-08CFA02F01A9@xxxxxxxxxxxxxxxx
why? for shure is not a direct metod, but in fact the admnistrators of
that
OU will can add on that group only the computers that he manage and not
the
others.
--
Dragos CAMARA
MCSA Windows 2003 server


"Joe Richards [MVP]" wrote:

That doesn't actually solve the problem the OP has.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Dragos CAMARA wrote:
i do like this :
place the main application group in other OU,
create a application group in each OU so the administrators can add
the
computers to that group, and add this applications groups to the
main
application group.







.

Relevant Pages

  • Re: DC v Heller: Amicus Brief of the Real Linguists, Part I
    ... Otherwise, a foreigner like Verdugo could, but Rehnquist rightly pointed out that as he was NOT a member of THE PEOPLE CLASS, he could NOT claim the right, even though he IS an individual, but NOT AN INDIVIDUAL MEMBER OF THE PEOPLE. ... But, as Rehnquist points out, the rights of the 4th Amen extend ONLY to THE PEOPLE! ... How would an 80-year-old black woman from Haiti having an "individual right" to "own and carry guns" further the security of a free state to have a well-regulated militia, when such a person would be FOUR WAYS prohibited from SERVING in the militia or VOTING for the legislature that organizes and controls it? ... OR, and this is where the BoR comes in, any rights they MAY have claimed were not PROTECTED or GUARANTEED by the Constitution! ...
    (talk.politics.guns)
  • Re: Senate Republican Leader Mitch McConnelL Nixes District Of Columbia Voting Rights In Sente
    ... House Member ... representation in the U.S. House. ... The bill would grant full voting rights to the District's ...
    (talk.politics.guns)
  • Re: DC v Heller: Amicus Brief of the Real Linguists, Part I
    ... They didn't forfeit them; ... Did KIDS forfeit their 4th Amen rights? ... did felons "forfeit" their right to Freedom of Religion? ... NO, he simply was NOT a member of THE PEOPLE CLASS that had the right, ...
    (talk.politics.guns)
  • Re: A job for life and source of income
    ... It has to do with human rights. ... each member of the body politic ... There are only duties and ... SilverMask ...
    (soc.religion.bahai)
  • Re: Right to add computers to a domain
    ... the computer was also member of an OU, so I had to grant the same rights to ... right to add computers to that domain, but without being member of the ... It all began with Adam. ...
    (microsoft.public.windows.server.security)