Re: Which group has the ability to create contacts in AD?
From: dln (dnadon_nospm_at_hotmail.com)
Date: 04/22/04
- Next message: Marin Marinov: "Re: Identify accounts with Blank Passwords"
- Previous message: Marin Marinov: "Re: Which group has the ability to create contacts in AD?"
- In reply to: Marin Marinov: "Re: Which group has the ability to create contacts in AD?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 Apr 2004 09:21:47 -0500
Great! This is just what I was looking for. Thanks for the tip.
"Marin Marinov" <mlmarinov@askme.ca> wrote in message
news:MPG.1af19e60f1692ab49896fb@msnews.microsoft.com...
> In article <ejN6x6GKEHA.3428@TK2MSFTNGP09.phx.gbl>,
> dnadon_nospm@hotmail.com says...
> > Hopefully someone can point me in the right direction with this. I want
to
> > enable one of our users to be able to create new mail-enabled contacts
in
> > Active Directory. I've add the user's account to the Account Operators
> > group and although they can create new users and groups, they can not
create
> > new mail-enabled contacts (in fact, the option to create a contact isn't
> > even available to the user). Right now, the only way I can create a new
> > contact is through a user account that is a member of the Domain Admins
> > group, but I do not want to give the user account access full
administrator
> > access to the domain. Does anybody know which group(s), other than any
of
> > the administrator groups, that have the ability to create new contacts
in
> > Active Directory?
> >
> > Thanks.
> In cases when a built-in or predefined group doesn't have the ability to
> perform some action in AD, like in this case, you can delegate control
> for that specific action. Objects in AD are protected by DACLs like
> files and folders in NTFS, just you have much more permissions to
> configure ;)
>
> You should use the Delegation of control wizard to delegate the task of
> creating Contact objects to this user. A best practice is to create a
> global group, put the user in this group, and delegate permissions to
> this group. So, right-click the OU where you want the user to create
> contacts and select "Delegate control". You have to select "Create a
> custom task to delegate" and on the next page select the object type
> Contact, select the "Create..." checkbox. On the next page specify the
> permissions the user requires or Full control if he/she will be fully
> responsible for Contact objects.
>
> HTH
> --
> Cheers,
> Marin Marinov
> MCT,MCSE 2003,MCSE:Security 2003
> -
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
- Next message: Marin Marinov: "Re: Identify accounts with Blank Passwords"
- Previous message: Marin Marinov: "Re: Which group has the ability to create contacts in AD?"
- In reply to: Marin Marinov: "Re: Which group has the ability to create contacts in AD?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
