Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » AD Delegation
AD Delegation [message #161074] Tue, 15 September 2009 00:56 Go to next message
Sukhwinder Singh  is currently offline Sukhwinder Singh
Messages: 15
Registered: September 2009
Junior Member
Dear All,

We are having a Single Domain structure with more than 10000 Computer
objects. We have created the Diffrent OU's for different Divisions in the
organisation and delegated the permissions to the local IT staff for the
Account management wherein they can create, modify and delet objects within
their divisional OU's.

We are facing the issue with some of the computer accounts which have got
printer or any other device attached to those. The local IT teams are not
able to delete these computer accounts as they are treated as container
objects.

If I give them access to delete container objects then they will be able to
delet the OU's also which is a security risk.

Is there any way to delegate the control to delete the computer accounts
without delegating permission to delete other container objects like OUs.
RE: AD Delegation [message #161078 is a reply to message #161074] Tue, 15 September 2009 05:08 Go to previous messageGo to next message
Alex van Gemst - MCSE  is currently offline Alex van Gemst - MCSE
Messages: 1
Registered: September 2009
Junior Member
"Sukhwinder Singh" wrote:

> Dear All,
>
> We are having a Single Domain structure with more than 10000 Computer
> objects. We have created the Diffrent OU's for different Divisions in the
> organisation and delegated the permissions to the local IT staff for the
> Account management wherein they can create, modify and delet objects within
> their divisional OU's.
>
> We are facing the issue with some of the computer accounts which have got
> printer or any other device attached to those. The local IT teams are not
> able to delete these computer accounts as they are treated as container
> objects.
>
> If I give them access to delete container objects then they will be able to
> delet the OU's also which is a security risk.
>
> Is there any way to delegate the control to delete the computer accounts
> without delegating permission to delete other container objects like OUs.
RE: AD Delegation [message #161079 is a reply to message #161074] Tue, 15 September 2009 05:15 Go to previous messageGo to next message
AlexvanGemstMCSEMCITP  is currently offline AlexvanGemstMCSEMCITP
Messages: 1
Registered: September 2009
Junior Member
Dear,

Go to the properties for the OU
Choose Advanced
Choose the group you want to delegate the permissions to
Click Edit...
Choose Apply onto: 'Computer Objects'
Select 'Allow Delete Printer Objects'
or 'Delete all Child Objects' if necessary

I think this should enable the local IT staff to delete those computer
accounts

Hope this helps you,

Alex van Gemst - MCSE / MCITP EA




"Sukhwinder Singh" wrote:

> Dear All,
>
> We are having a Single Domain structure with more than 10000 Computer
> objects. We have created the Diffrent OU's for different Divisions in the
> organisation and delegated the permissions to the local IT staff for the
> Account management wherein they can create, modify and delet objects within
> their divisional OU's.
>
> We are facing the issue with some of the computer accounts which have got
> printer or any other device attached to those. The local IT teams are not
> able to delete these computer accounts as they are treated as container
> objects.
>
> If I give them access to delete container objects then they will be able to
> delet the OU's also which is a security risk.
>
> Is there any way to delegate the control to delete the computer accounts
> without delegating permission to delete other container objects like OUs.
Re: AD Delegation [message #161084 is a reply to message #161074] Tue, 15 September 2009 06:21 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
Jorge has a really good blog on this.

http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369. aspx

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Sukhwinder Singh" <SukhwinderSingh@discussions.microsoft.com> wrote in
message news:503A2FAB-96B2-4AD2-A6D7-59B204D88FD7@microsoft.com...
> Dear All,
>
> We are having a Single Domain structure with more than 10000 Computer
> objects. We have created the Diffrent OU's for different Divisions in the
> organisation and delegated the permissions to the local IT staff for the
> Account management wherein they can create, modify and delet objects
> within
> their divisional OU's.
>
> We are facing the issue with some of the computer accounts which have got
> printer or any other device attached to those. The local IT teams are not
> able to delete these computer accounts as they are treated as container
> objects.
>
> If I give them access to delete container objects then they will be able
> to
> delet the OU's also which is a security risk.
>
> Is there any way to delegate the control to delete the computer accounts
> without delegating permission to delete other container objects like OUs.
RE: AD Delegation [message #161239 is a reply to message #161079] Mon, 21 September 2009 01:35 Go to previous message
Sukhwinder Singh  is currently offline Sukhwinder Singh
Messages: 15
Registered: September 2009
Junior Member
Dear Alex,

The issue is resolved by providing the acces " Delete Subtree" because it is
the access required to delete all the objects under that container. The
access have been given on Computer object only.

Thanks you all for your support

Sukhwinder

"Alex van Gemst - MCSE / MCITP EA" wrote:

> Dear,
>
> Go to the properties for the OU
> Choose Advanced
> Choose the group you want to delegate the permissions to
> Click Edit...
> Choose Apply onto: 'Computer Objects'
> Select 'Allow Delete Printer Objects'
> or 'Delete all Child Objects' if necessary
>
> I think this should enable the local IT staff to delete those computer
> accounts
>
> Hope this helps you,
>
> Alex van Gemst - MCSE / MCITP EA
>
>
>
>
> "Sukhwinder Singh" wrote:
>
> > Dear All,
> >
> > We are having a Single Domain structure with more than 10000 Computer
> > objects. We have created the Diffrent OU's for different Divisions in the
> > organisation and delegated the permissions to the local IT staff for the
> > Account management wherein they can create, modify and delet objects within
> > their divisional OU's.
> >
> > We are facing the issue with some of the computer accounts which have got
> > printer or any other device attached to those. The local IT teams are not
> > able to delete these computer accounts as they are treated as container
> > objects.
> >
> > If I give them access to delete container objects then they will be able to
> > delet the OU's also which is a security risk.
> >
> > Is there any way to delegate the control to delete the computer accounts
> > without delegating permission to delete other container objects like OUs.
Previous Topic:Delete an orphan DC
Next Topic:Delegate control of OU
Goto Forum:
  


Current Time: Tue Jan 16 04:07:17 MST 2018

Total time taken to generate the page: 0.03583 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software