RE: AD Delegation
- From: Sukhwinder Singh <SukhwinderSingh@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 21 Sep 2009 00:35:01 -0700
Dear Alex,
The issue is resolved by providing the acces " Delete Subtree" because it is
the access required to delete all the objects under that container. The
access have been given on Computer object only.
Thanks you all for your support
Sukhwinder
"Alex van Gemst - MCSE / MCITP EA" wrote:
Dear,.
Go to the properties for the OU
Choose Advanced
Choose the group you want to delegate the permissions to
Click Edit...
Choose Apply onto: 'Computer Objects'
Select 'Allow Delete Printer Objects'
or 'Delete all Child Objects' if necessary
I think this should enable the local IT staff to delete those computer
accounts
Hope this helps you,
Alex van Gemst - MCSE / MCITP EA
"Sukhwinder Singh" wrote:
Dear All,
We are having a Single Domain structure with more than 10000 Computer
objects. We have created the Diffrent OU's for different Divisions in the
organisation and delegated the permissions to the local IT staff for the
Account management wherein they can create, modify and delet objects within
their divisional OU's.
We are facing the issue with some of the computer accounts which have got
printer or any other device attached to those. The local IT teams are not
able to delete these computer accounts as they are treated as container
objects.
If I give them access to delete container objects then they will be able to
delet the OU's also which is a security risk.
Is there any way to delegate the control to delete the computer accounts
without delegating permission to delete other container objects like OUs.
- References:
- AD Delegation
- From: Sukhwinder Singh
- RE: AD Delegation
- From: Alex van Gemst - MCSE / MCITP EA
- AD Delegation
- Prev by Date: Active Directory Remote Authentication
- Next by Date: Re: Active Directory Remote Authentication
- Previous by thread: RE: AD Delegation
- Next by thread: Re: AD Delegation
- Index(es):
Relevant Pages
|
