Delegating permissions to move user accounts

M

Matt Nowell

Morning,

We're currently in the midst of implementing Group Policy, and we're looking
to delegate the administration of the policies outside of the traditional
"server" group. In order to do this, we need to delegate the ability to
move computer and user accounts around between OU's.

Microsoft fortunately has a KB article (818091 if you're interested) that
details how to grant permission to move computer accounts to a user or
group. Unfortunately, there's no corresponding article for user accounts.
In an ideal world, the permissions would fall into the constraints below:

ALLOWED:
Move user accounts between appropriately permissioned OU's.

NOT ALLOWED:
Any other user account modifications, including password modification, logon
name modification, group membership changes or the ability to create/delete
user accounts.

Has anybody out there determined independently what combination of advanced
permissions would be required to do this?

Thanks in advance,

Matt Nowell
 
D

Daniel Vollmer

Hi together!

Interestingly, I'm standig right in front of the same problem as Matt.

And I'm sorry Matjaz, but this is an answer which makes me not very
satisfied, because with this method delegated users gain the access right to
delete and create user accounts. Exactly, this is unwanted. :-(

Does anybody else have other ideas?

Regards,
Daniel
 
D

Daniel Vollmer

Hi Matjaz,

sorry, but I think we misunderstand each other. In the knowledgebase articel
it's said, that the one, who want's to move computer accounts needs the
following permissions: Create/Delete Computer Accounts AND Write All
Permissions.

That means, if the method for moving user accounts is similar, the user
who's delegated to move user accounts needs the same permissions
("Create/Delete User Accounts" and "Write All Permissions"). And exactly
that's the problem: the user gains the right to change all attributes of the
user, but this is absolutely unwanted. :-(

Do you have any other ideas to solve this problem?

Best regards,
Daniel
 
M

Matjaz Ladava [MVP]

Yes sorry Daniel, in reply I was focusing on computer objects and not user
object. You are right. Write all permission is a serious security flay, but
you can start by first delegation permission to some attributes like
distinguish name (DN) which is basicaly a LDAP path of a object and go from
there.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 
D

Daniel Vollmer

Hi Matjaz, Hi Matt,

with Matjaz hint (thank you very much!), to try less rights, I discovered,
that the must-have rights are:
"Create/Delete User Accounts" applies to "This object and child objects"
"Write Name" (uppercase "N") applies to "User objects properties"
"Write name" (lowercase "n") applies to "User objects properties"

I don't have any idea, what's the difference between "Name" and "name".

Sadly, it wasn't such easy to search for the an attribute like "Write
distinguished name" because there is none. I think, that "name" or "Name" is
the equivalance. But what's the other one?

Unfortunatly the delegated user has the ability to create and delete user
accounts. If there is still a workaround left, please let me know.

Best Regards,
Daniel
 
M

Matjaz Ladava [MVP]

As I recall, the Name attribute would be Common Name (cn attribute) and name
would be RDN (Relative Distinguished Name).

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Delegating Administrative rights to OU's 5
Delegating Control... 7
Setting Special User Permissions 2
Delegating user object changes 3
Delegate Control to create user accounts 6
Access to AD by others / Delegating 1
Computer accounts in AD 6
Rights needed to move user between ou's 1

Top