Announcement

Collapse
No announcement yet.

restrict access of one OU for delegated users

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • restrict access of one OU for delegated users

    I am implementing a proxy server in large domain.
    There is help desk group with delegated rights for adding deleting user accounts.

    I created new OU=Proxy in which created group Facebook. Then I will enable facebook.com access only to AD group Facebook in Proxy server.

    The question: is it possible to restrict access to OU to delegated users?

    The goal is: help desk should not be able to add or remove users to particular OU/group (in my case OU=Proxy Group=Facebook ?

    Thanks.
    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

  • #2
    Re: restrict access of one OU for delegated users

    Just modify the access control list (ACL) for that OU. In any event you mentioned that your help desk has permissions for users. That does not extend into group permissions so just check the ACL to see who has read/write permissions for group objects in that OU.
    JM @ IT Training & Consulting
    http://www.itgeared.com

    Comment


    • #3
      Re: restrict access of one OU for delegated users

      Enable auditing of ADDS changes (requires Server 2008 IIRC) and if help desk staff move someone inappropriately, shoot the b***ers
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment

      Working...
      X