Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Modify OU delegation problem
Modify OU delegation problem [message #340760] Thu, 10 December 2009 22:04 Go to next message
aconti  is currently offline aconti  United States
Messages: 113
Registered: August 2009
Senior Member
Hello, I am trying to remove the permission to delete computer accounts
in a particular OU for a particular domain admin user. This is just a
test setup but even when I selected the Deny next to delete and delete
subtree and also the delete Group Objects the same admin can still
delete everything from the same OU. On the other hand when I remove the
list contents checkbox the same admin cannot see anything listed in the
same OU therefore it works as desired.

Any help pls thank you


--
aconti
------------------------------------------------------------ ------------
aconti's Profile: http://forums.techarena.in/members/73272.htm
View this thread: http://forums.techarena.in/active-directory/1281050.htm

http://forums.techarena.in
Re: Modify OU delegation problem [message #340794 is a reply to message #340760] Thu, 10 December 2009 23:47 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

aconti schrieb:
> Hello, I am trying to remove the permission to delete computer accounts
> in a particular OU for a particular domain admin user. This is just a
> test setup but even when I selected the Deny next to delete and delete
> subtree and also the delete Group Objects the same admin can still
> delete everything from the same OU. On the other hand when I remove the
> list contents checkbox the same admin cannot see anything listed in the
> same OU therefore it works as desired.

Check whether the admin is member of other groups that enable him/her to
delete the folders.

Other than that, restricting domain admins is not going to work. Admins
can put themselves back to the ACL and remove things. If you want to
restrict admin efficiently, remove their admin-ness, make them regular
user and grant them the necessary permission so that they can do their work.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your
lab.
Re: Modify OU delegation problem [message #340819 is a reply to message #340760] Fri, 11 December 2009 01:31 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello aconti,

Preventing an Admin from doing whatever is not possible, an Admin can always
undo the setting. Remove the Admin permissions, that's the only way.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello, I am trying to remove the permission to delete computer
> accounts in a particular OU for a particular domain admin user. This
> is just a test setup but even when I selected the Deny next to delete
> and delete subtree and also the delete Group Objects the same admin
> can still delete everything from the same OU. On the other hand when I
> remove the list contents checkbox the same admin cannot see anything
> listed in the same OU therefore it works as desired.
>
> Any help pls thank you
>
> http://forums.techarena.in
>
Re: Modify OU delegation problem [message #340905 is a reply to message #340760] Fri, 11 December 2009 05:56 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"aconti" <aconti.430l7d@DoNotSpam.com> wrote in message
news:aconti.430l7d@DoNotSpam.com...
>
> Hello, I am trying to remove the permission to delete computer accounts
> in a particular OU for a particular domain admin user. This is just a
> test setup but even when I selected the Deny next to delete and delete
> subtree and also the delete Group Objects the same admin can still
> delete everything from the same OU. On the other hand when I remove the
> list contents checkbox the same admin cannot see anything listed in the
> same OU therefore it works as desired.
>
> Any help pls thank you
>
>
> --
> aconti


If the user is truly part of the Domain Administrators group, no, it can't
be done, as Florian and Meinolf already stated. You would have to remove
them from the group, create another group and delegate that group to the OU
with their required permissions and not more.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Previous Topic:Job Opportunity with Nityo Manila - Philippines
Next Topic:Developing active directory applications without any Active Directory Services
Goto Forum:
  


Current Time: Thu Jan 18 20:50:02 MST 2018

Total time taken to generate the page: 0.02707 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software