• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Delegation - Computer Objects - Help

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory

View previous topic :: View next topic  
Author Message
jcochran
Just Arrived
Just Arrived


Joined: 13 Sep 2005
Posts: 1


Offline

PostPosted: Thu Sep 02, 2010 1:20 am    Post subject: Delegation - Computer Objects - Help Reply with quote

I have delegated the permission:

Allow Create Computer Objects - This object and all child objects
Deny Delete Computer Objects - This object and all child objects

To a group to a specific OU.

All is working as expected except the user can delete computer accounts that he creates only and no others.

I only want him to be able to create accounts, not delete any.
Back to top
View user's profile Send private message
CoreDefend
Forum Fanatic
Forum Fanatic


Joined: 25 May 2010
Posts: 16777215
Location: USA

Offline

PostPosted: Thu Sep 02, 2010 3:23 pm    Post subject: Reply with quote

When you check the security of the object of an account he creates; he should be the owner. The owner has the ability to delete that object. Modify the parent permissions so there is an explicit deny on his account to prevent deletion.
Back to top
View user's profile Send private message Visit poster's website
jcochran
Just Arrived
Just Arrived


Joined: 13 Sep 2005
Posts: 1


Offline

PostPosted: Thu Sep 02, 2010 7:21 pm    Post subject: Reply with quote

That's exactly what I did and it's not working. I gave the group he is in explicit permissions to create computer objects, but the "deny" to delete. I must be missing something...
Back to top
View user's profile Send private message
CoreDefend
Forum Fanatic
Forum Fanatic


Joined: 25 May 2010
Posts: 16777215
Location: USA

Offline

PostPosted: Thu Sep 02, 2010 7:33 pm    Post subject: Reply with quote

Which rights are assigned to "CREATOR OWNER"?
Back to top
View user's profile Send private message Visit poster's website
jcochran
Just Arrived
Just Arrived


Joined: 13 Sep 2005
Posts: 1


Offline

PostPosted: Thu Sep 02, 2010 7:39 pm    Post subject: Reply with quote

Ahhhh, I do not see creator/owner in the permissions. I'm assuming that I need to add creator/owner to the OU and then grant "deny" permissions for delete computer object?

Currently, when I look at effective permissions, his account still has a "delete" permission and that must be where it's coming from.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Looking for more Windows Networking info?

Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing!
View a sample newsletter.

Become a WindowsNetworking.com member!

Discuss your Windows Networking issues with thousands of other Windows Newtorking experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred data recovery solution?

Follow TechGenix on Twitter