Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

restrict access of one OU for delegated users

  • Filter
  • Time
  • Show
Clear All
new posts

  • restrict access of one OU for delegated users

    I am implementing a proxy server in large domain.
    There is help desk group with delegated rights for adding deleting user accounts.

    I created new OU=Proxy in which created group Facebook. Then I will enable access only to AD group Facebook in Proxy server.

    The question: is it possible to restrict access to OU to delegated users?

    The goal is: help desk should not be able to add or remove users to particular OU/group (in my case OU=Proxy Group=Facebook ?

    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

  • #2
    Re: restrict access of one OU for delegated users

    Just modify the access control list (ACL) for that OU. In any event you mentioned that your help desk has permissions for users. That does not extend into group permissions so just check the ACL to see who has read/write permissions for group objects in that OU.
    JM @ IT Training & Consulting


    • #3
      Re: restrict access of one OU for delegated users

      Enable auditing of ADDS changes (requires Server 2008 IIRC) and if help desk staff move someone inappropriately, shoot the b***ers
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd

      ** Remember to give credit where credit is due and leave reputation points where appropriate **