Delegation of rights

[Guest]

In my organization my particular site has been delegated it's own OU in which I'm in control of. There are going to be other child OU's created that will need rights delegated to groups so they might administer those containers.An example is there is an off site that will receive it's own OU. A site admin will be given control of this OU so he could add users and computers to that OU but he should not be able to lock out the admin of the parent OU. Does Microsoft or anyone else for that matter have a white paper on the delegation of rights and if so the url to get to this info. All help will be greatly appreciated. Thanks in advance.

 

[Chriss3]

By Design. Delegate only the required rights, in this case may not full
control of the OU, May only to child objects within the OU and so on.

May the Step-by-Step Guide to Using the Delegation of Control Wizard can be
to any help:
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/delegsteps.asp

An example to customize delegation of control of the manager attribute:
http://www.chrisse.se/MAQB.asp?ID=27

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

In my organization my particular site has been delegated it's own OU in

which I'm in control of. There are going to be other child OU's created that
will need rights delegated to groups so they might administer those
containers.An example is there is an off site that will receive it's own OU.
A site admin will be given control of this OU so he could add users and
computers to that OU but he should not be able to lock out the admin of the
parent OU. Does Microsoft or anyone else for that matter have a white paper
on the delegation of rights and if so the url to get to this info. All help
will be greatly appreciated. Thanks in advance.

 

[Guest]

I went to the step-by-step guide url and it is exactly the type of help I was looking for. I have one question in repect to this article. Why could'nt the group AUADmins be inside the Divisions OU as opposed to being in the child OU Autonomous Unit? It would seem that it would be a better placement of the group in the OU the group is going to administer. Is there a common rule for the placement of a group that going to administer an OU?

 

[Chriss3]

By Design. If you delegate the control to a group and place the group in
side the OU you have delegated the control to, and may delegated rights to
child objects, then they can change the membership and add there friends and
so on

--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

I went to the step-by-step guide url and it is exactly the type of help I

was looking for. I have one question in repect to this article. Why could'nt
the group AUADmins be inside the Divisions OU as opposed to being in the
child OU Autonomous Unit? It would seem that it would be a better placement
of the group in the OU the group is going to administer. Is there a common
rule for the placement of a group that going to administer an OU?

 

[Guest]

Chriss3 I appreciate the time that you have spent with me on this subject. But there is still one point that I keep missing. In the example given in the step-by-step guide the AUAdmins group is given full control to the Divisions OU. This also gives AUAdmins full control to any child OU's created under the Divisions OU. If the Autonomous Unit OU is a child OU of the Division OU then the members of the AUAdmins group could change the membership of the Divisions OU and of it's own members and any members in any child OU. Is the Autonomous Unit OU a child of the Divisions OU or is it an OU on the same level as the Divisions OU? If it's on the same level as the Divisons OU the strategy you mentioned would make more sense to me.