Re: How to restrict rights to only allow users to add or remove or modify user account and group settings
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 12/08/04
- Previous message: Steve Riley [MSFT]: "Re: FTP Passive Mode"
- In reply to: erectmember_at_gmail.com: "Re: How to restrict rights to only allow users to add or remove or modify user account and group settings"
- Next in thread: erectmember_at_gmail.com: "Re: How to restrict rights to only allow users to add or remove or modify user account and group settings"
- Reply: erectmember_at_gmail.com: "Re: How to restrict rights to only allow users to add or remove or modify user account and group settings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 8 Dec 2004 00:00:14 -0700
The GPMC (group policy management console) gives a somewhat
better view of delegations. However, once the delegation wizard
is closed, all that remains of your delegation actions is just so many
ACEs in the ACLs of the affected objects.
There is no interface that back-translates this to what actions you
have in the past taken with the delegation wizard.
For this reason I would highly recommend that you define custom
groups for the delegations, named for what they are used to delegate,
and delegate to these groups in which are the accounts that receive
the delegated capabilities. With a decent naming convention you
can then look at the existing groups and know what has been
delegate, and by memberships know to whom and adjust easily to
whom.
You could perhaps try reading in the resource kit, but the custom
permissions settings actually let you touch the ACL on just about
any AD object/attribute. As such, when you asked about good
explainations of what you see under the custom permissions area
you actually are pretty much asking for an outline of the schema of
the AD objects and their attributes.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA <erectmember@gmail.com> wrote in message news:1102347515.986290.21080@c13g2000cwb.googlegroups.com... > Thanks > > I see now that the options that you get on the ou level differ fromt he > ones at the domain level and the standard ones fit well for this > purpose. > How do you view what delegation has been set on a particular OU then? > Can't seem to find that. > > Have been on holiday for a while hence the lateness of this reply. > > Also does anyone know where i can get explanations of what each custom > permission setting (under delegation) actually allow people to do? > There is no explation that i can find and one in English might be > slightly better than trying to work out from the attributes themselves > which appear to be written in Greek...:) > And no, it's not my regional settings :)) >
- Previous message: Steve Riley [MSFT]: "Re: FTP Passive Mode"
- In reply to: erectmember_at_gmail.com: "Re: How to restrict rights to only allow users to add or remove or modify user account and group settings"
- Next in thread: erectmember_at_gmail.com: "Re: How to restrict rights to only allow users to add or remove or modify user account and group settings"
- Reply: erectmember_at_gmail.com: "Re: How to restrict rights to only allow users to add or remove or modify user account and group settings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
