B
Brandon McCombs
Hello,
A while back on here I was told that to allow a subset of users access
to Active Directory contact objects to modify their properties and to
create new ones within a specific section of the DIT that I could create
a custom taskpad view. I've done that and went through the task wizard
to specify which actions i want this subset of users to have. The
problem is that I've removed the Action and View menu items from the MSC
configuration but if a user would right click on an OU in the section of
the tree I gave them access to they have the ability to do a Find (and
start looking at actual user account properties) and under View they can
access Advanced Features and voila: they broke out of the DIT section I
wanted to confine them to and they can see everything.
Luckily after checking the box for "do not allow changes to be saved" in
the Options of the MSC I was able to prevent the MSC from continuing to
open up the whole DIT (instead of my 'chroot' area) when someone would
choose Advanced Features so now if I reopen it I'm back to the section
of the DIT I want the users confined to but they can still view things
in other parts of the DIT as long as they don't close the MSC...of
course if they do they can just select Adv. Features again and begin
browsing. I've already gone through the Delegated Control wizard and
only allowed a specific group to create Contacts and modify specific
properties of the Contacts in the specific OU but I don't want users
seeing the structure of the DIT and I have a feeling the other admins
won't want the users to have that ability either.
Two questions arise out of this: what is the point of being able to
remove Action/View menu items if a user can right click on an OU and get
the same functionality and the second question is how the hell do I
prevent someone from accessing the Advanced Features when they right
click and select the View option in the pop up menu? Considering I
didn't choose Find in the task wizard list that option shouldn't even
appear when a user right clicks on an object but it does anyway. I
definitely need to prevent these 2 actions from occurring. Is there a
way?
thank you
Brandon
A while back on here I was told that to allow a subset of users access
to Active Directory contact objects to modify their properties and to
create new ones within a specific section of the DIT that I could create
a custom taskpad view. I've done that and went through the task wizard
to specify which actions i want this subset of users to have. The
problem is that I've removed the Action and View menu items from the MSC
configuration but if a user would right click on an OU in the section of
the tree I gave them access to they have the ability to do a Find (and
start looking at actual user account properties) and under View they can
access Advanced Features and voila: they broke out of the DIT section I
wanted to confine them to and they can see everything.
Luckily after checking the box for "do not allow changes to be saved" in
the Options of the MSC I was able to prevent the MSC from continuing to
open up the whole DIT (instead of my 'chroot' area) when someone would
choose Advanced Features so now if I reopen it I'm back to the section
of the DIT I want the users confined to but they can still view things
in other parts of the DIT as long as they don't close the MSC...of
course if they do they can just select Adv. Features again and begin
browsing. I've already gone through the Delegated Control wizard and
only allowed a specific group to create Contacts and modify specific
properties of the Contacts in the specific OU but I don't want users
seeing the structure of the DIT and I have a feeling the other admins
won't want the users to have that ability either.
Two questions arise out of this: what is the point of being able to
remove Action/View menu items if a user can right click on an OU and get
the same functionality and the second question is how the hell do I
prevent someone from accessing the Advanced Features when they right
click and select the View option in the pop up menu? Considering I
didn't choose Find in the task wizard list that option shouldn't even
appear when a user right clicks on an object but it does anyway. I
definitely need to prevent these 2 actions from occurring. Is there a
way?
thank you
Brandon