Delgation of control above the OU grants additional rights which provide Full Control for the user

V

Vlad

Hello All,

Please help me to accomplish the solution for the Scenario:

Windows 2003 domain: mydomain.com
NewAdmin is a member of CN=Users,CN=mydomain,CN=com. NewAdmin is not a
member of any Administrator groups.
BadUser is a member of CN=Users,CN=mydomain,CN=com. BadUser is not a
member of any Administrator groups.
There is an OU: OU=MyOU,CN=mydomain,CN=com

WE WANT:
- to delegate the ability to create, rename and delete Organizational
Units to NewAdmin. These OUs should be sub-OUs of the
OU=MyOU,CN=mydomain,CN=com.
- to delegate the ability to create, rename and delete Computers in
the created OUs.

WE DO NOT WANT:
- NewAdmin to be able to delegate any permissions to the sub-OUs which
were created by the NewAdmin in the OU=MyOU,CN=mydomain,CN=com.

UNWANTED RESULTS OF THE SCENARIO:
NewAdmin creates OU: OU=NewOU,OU=MyOU,CN=mydomain,CN=com
NewAdmin delegates Full Control to BadUser over
OU=NewOU,OU=MyOU,CN=mydomain,CN=com.

TRIED, BUT DID NOT HELP:
- Tried to delegate the control with the help of the Delegation of
Control Wizard.
- Tried to edit the Special Permissions on the
OU=MyOU,CN=mydomain,CN=com with and without "Allow inheritable
permissions from the parent to propagate to this object and all child
objects" checked.
- Tried to edit the Special Permissions on the
OU=MyOU,CN=mydomain,CN=com as
First set Full Control to Deny and then allowed only
List Contents
Read All Properties
Read Permissions
Create Computer Object
Delete Computer Object
Create Organizational Unit Object
Delete Organizational Unit Object
for the "Apply onto:
This object and all child objects
Organizational Unit objects"

POSSIBLE REASON OF FAILURE:
Wrong settings in the
- Permissions
- Apply onto
- Object Name
- Inheritance

Thank you for your help.
Vlad
 
S

Steven L Umbach

You can't do what you want. When you allow a user to create an OU, that user is the
owner of that OU and hence can change permissions on the OU. Delegation of authority
is nothing more that assigning permissions. You may want to allow only domain admins
to create OU's or make sure that person you want to create OU's is someone who is
competent and you can trust. --- Steve
 
J

Joe Richards [MVP]

Just in case the OP needs more than one person saying this. I completely concur
with Steven. You can't do it. The builtin creator/owner functionality won't
allow it.

In this case you would be best off setting up a web site to proxy the work. The
NewAdmin goes to this web site and requests the change. The web site does it
with its own userid on behalf of the newadmin, that way the ID the website runs
under owns the new ou's or better yet it reassings the ownership to admins.

joe
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

User Creation via HTA 2
inheretance is broken - sdprop adminsdholder, builtin container an 0
cannot delete group policy objects 1
Unable to prevent OU deletion by Domain Admins? 8
Unable to prevent OU deletion by Domain Admins? 2
Delegate Control to create user accounts 6
Group policy: Computer policy not applied to OU in domain Event ID 1000 Userenv msiInstaller 3
GPO's on Domian Controllers out of synch 2

Top