• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Delegation - Computer Objects - Help

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory

View previous topic :: View next topic  
Author Message
jcochran
Just Arrived
Just Arrived


Joined: 13 Sep 2005
Posts: 1


Offline

PostPosted: Thu Sep 02, 2010 1:20 am    Post subject: Delegation - Computer Objects - Help Reply with quote

I have delegated the permission:

Allow Create Computer Objects - This object and all child objects
Deny Delete Computer Objects - This object and all child objects

To a group to a specific OU.

All is working as expected except the user can delete computer accounts that he creates only and no others.

I only want him to be able to create accounts, not delete any.
Back to top
View user's profile Send private message
CoreDefend
Forum Fanatic
Forum Fanatic


Joined: 25 May 2010
Posts: 16777215
Location: USA

Offline

PostPosted: Thu Sep 02, 2010 3:23 pm    Post subject: Reply with quote

When you check the security of the object of an account he creates; he should be the owner. The owner has the ability to delete that object. Modify the parent permissions so there is an explicit deny on his account to prevent deletion.
Back to top
View user's profile Send private message Visit poster's website
jcochran
Just Arrived
Just Arrived


Joined: 13 Sep 2005
Posts: 1


Offline

PostPosted: Thu Sep 02, 2010 7:21 pm    Post subject: Reply with quote

That's exactly what I did and it's not working. I gave the group he is in explicit permissions to create computer objects, but the "deny" to delete. I must be missing something...
Back to top
View user's profile Send private message
CoreDefend
Forum Fanatic
Forum Fanatic


Joined: 25 May 2010
Posts: 16777215
Location: USA

Offline

PostPosted: Thu Sep 02, 2010 7:33 pm    Post subject: Reply with quote

Which rights are assigned to "CREATOR OWNER"?
Back to top
View user's profile Send private message Visit poster's website
jcochran
Just Arrived
Just Arrived


Joined: 13 Sep 2005
Posts: 1


Offline

PostPosted: Thu Sep 02, 2010 7:39 pm    Post subject: Reply with quote

Ahhhh, I do not see creator/owner in the permissions. I'm assuming that I need to add creator/owner to the OU and then grant "deny" permissions for delete computer object?

Currently, when I look at effective permissions, his account still has a "delete" permission and that must be where it's coming from.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exchange 2000 // 2003 // 2007 & Active Directory All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register